**Data type**: int
**Value**: `1`| #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -45,15 +51,15 @@ Follow the steps in [Apply a provisioning package][WIN-2] to apply the package t ## How to use the education themes -Once the education themes are enabled, the device will download them as soon as a user signs in to the device. +Once the education themes are enabled, the device downloads them as soon as a user signs in to the device. To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme** -:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true"::: +:::image type="content" source="./images/win-11-se-themes.png" alt-text="Screenshot of Windows 11 education themes selection" border="true"::: ----------- -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[INT-1]: /mem/intune/configuration/custom-settings-windows-10 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package -[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 4799a4d3cc..36a0de01ff 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,12 +1,12 @@ --- title: Configure federated sign-in for Windows devices -description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages. -ms.date: 03/15/2023 +description: Learn how federated sign-in in Windows works and how to configure it. +ms.date: 09/11/2023 ms.topic: how-to appliesto: - ✅ Windows 11 + - ✅ Windows 11 SE ms.collection: - - highpri - tier1 - education --- @@ -34,52 +34,67 @@ To implement federated sign-in, the following prerequisites must be met: - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md) - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1] -1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform -1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: +1. Individual IdP accounts created: each user requires an account defined in the third-party IdP platform +1. Individual Azure AD accounts created: each user requires a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: - [School Data Sync (SDS)][SDS-1] - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1] - provisioning tools offered by the IdP - + For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad). 1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2] 1. Enable federated sign-in on the Windows devices -To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet. +To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet. > [!IMPORTANT] > WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods: -> - provisioning packages (PPKG) +> - Provisioning packages (PPKG) > - Windows Autopilot self-deploying mode -### System requirements +[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)] -Federated sign-in is supported on the following Windows SKUs and versions: +Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions: - Windows 11 SE, version 22H2 and later - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1] +Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2]. + ## Configure federated sign-in -To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG). +You can configure federated sign-in for student assigned (1:1) devices or student shared devices: + +- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen +- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device + +The configuration is different for each scenario, and is described in the following sections. + +### Configure federated sign-in for student assigned (1:1) devices + +To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG). #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: +[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)] -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +| Category | Setting name | Value | +|--|--|--| +| Education | Is Education Environment | Enabled | +| Federated Authentication | Enable Web Sign In For Primary User | Enabled | +| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` | +| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` | + +[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings: | Setting | |--------| -|
**Data type**: int
**Value**: `1`| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`
**Data type**: int
**Value**: `1`| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
**Data type**: String
**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`**
**Data type**: String
**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`| #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -87,14 +102,61 @@ To configure federated sign-in using a provisioning package, use the following s | Setting | |--------| -|
**Value**: Enabled| +| **Path**: `FederatedAuthentication/EnableWebSignInForPrimaryUser`
**Value**: Enabled| +| **Path**: `Policies/Authentication/ConfigureWebSignInAllowedUrls`
**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`| +| **Path**: `Policies/Authentication/ConfigureWebCamAccessDomainNames`
**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`| -:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true"::: +:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true"::: -Apply the provisioning package to the devices that require federated sign-in. +Apply the provisioning package to the single-user devices that require federated sign-in. + +> [!IMPORTANT] +> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1]. + +--- + +### Configure federated sign-in for student shared devices + +To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG). + +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Education | Is Education Environment | Enabled | +| SharedPC | Enable Shared PC Mode With OneDrive Sync | True | +| Authentication | Enable Web Sign In | Enabled | +| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` | +| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` | + +[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings: + +| Setting | +|--------| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`
**Data type**: int
**Value**: `1`| +| **OMA-URI**: `./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`
**Data type**: Boolean
**Value**: True| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`
**Data type**: Integer
**Value**: `1`| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
**Data type**: String
**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`| +| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`
**Data type**: String
**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`| + +#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +To configure federated sign-in using a provisioning package, use the following settings: + +| Setting | +|--------| +|
Value: **Enabled**| +|
Value: **True**| +|
Value: **Enabled**| +|
Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**| +|
Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**| + +Apply the provisioning package to the shared devices that require federated sign-in. > [!IMPORTANT] > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1]. @@ -105,20 +167,41 @@ Apply the provisioning package to the devices that require federated sign-in. Once the devices are configured, a new sign-in experience becomes available. -As the end users enter their username, they'll be redirected to the identity provider sign-in page. Once users are authenticated by the IdP, they'll be signed-in. In the following animation, you can see how the first sign-in process works: +As users enter their username, they're redirected to the identity provider sign-in page. Once the Idp authenticates the users, they're signed-in. In the following animation, you can observe how the first sign-in process works for a student assigned (1:1) device: -:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge." border="false"::: +:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false"::: > [!IMPORTANT] -> Once the policy is enabled, the first user to sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen. +> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen. +> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Azure AD tenant name is configured. ## Important considerations -Federated sign-in doesn't work on devices that have the following settings enabled: +### Known issues affecting student assigned (1:1) devices -- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1] +Federated sign-in for student assigned (1:1) devices doesn't work with the following settings enabled: + +- **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**, which are part of the [SharedPC CSP][WIN-1] - **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2] -- **Take a Test**, since it uses the security policy above +- **Take a Test** in kiosk mode, since it uses the security policy above + +### Known issues affecting student shared devices + +The following issues are known to affect student shared devices: + +- Non-federated users can't sign-in to the devices, including local accounts +- **Take a Test** in kiosk mode, since it uses a local guest account to sign in + +### Account management + +For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3]. + +### Preferred Azure AD tenant name + +To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\ +When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown. + +For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4]. ### Identity matching in Azure AD @@ -128,9 +211,9 @@ After the token sent by the IdP is validated, Azure AD searches for a matching u > [!NOTE] > The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it. -If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found: +If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found: -:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png"::: +:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png"::: > [!IMPORTANT] > The ImmutableId matching is case-sensitive. @@ -145,11 +228,16 @@ In a scenario where a user is federated and you want to change the ImmutableId, Here's a PowerShell example to update the ImmutableId for a federated user: ```powershell +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force +Install-Module Microsoft.Graph -Scope CurrentUser +Import-Module Microsoft.Graph +Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All' + #1. Convert the user from federated to cloud-only -Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com +Update-MgUser -UserId alton@example.com -UserPrincipalName alton@example.onmicrosoft.com #2. Convert the user back to federated, while setting the immutableId -Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051' +Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@example.com -OnPremisesImmutableId '260051' ``` ## Troubleshooting @@ -167,13 +255,16 @@ Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -U [GRAPH-1]: /graph/api/user-post-users?tabs=powershell [EXT-1]: https://support.clever.com/hc/s/articles/000001546 -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[INT-1]: /mem/intune/configuration/custom-settings-windows-10 [MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843 [SDS-1]: /schooldatasync [KB-1]: https://support.microsoft.com/kb/5022913 +[KB-2]: https://support.microsoft.com/kb/5026446 [WIN-1]: /windows/client-management/mdm/sharedpc-csp -[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin \ No newline at end of file +[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin +[WIN-3]: /windows/configuration/set-up-shared-or-guest-pc +[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index ca7f319eb1..14121791b1 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,11 +2,8 @@ title: Get and deploy Minecraft Education description: Learn how to obtain and distribute Minecraft Education to Windows devices. ms.topic: how-to -ms.date: 02/23/2023 -appliesto: - - ✅ Windows 10 and later +ms.date: 09/11/2023 ms.collection: - - highpri - education - tier2 --- diff --git a/education/windows/images/federated-sign-in-settings-intune.png b/education/windows/images/federated-sign-in-settings-intune.png deleted file mode 100644 index bdde7cf85a..0000000000 Binary files a/education/windows/images/federated-sign-in-settings-intune.png and /dev/null differ diff --git a/education/windows/index.yml b/education/windows/index.yml index 691901dcf2..8d3a93691a 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -1,95 +1,181 @@ -### YamlMime:Landing +### YamlMime:Hub title: Windows for Education documentation -summary: Evaluate, plan, deploy, and manage Windows devices in an education environment +summary: Learn how to deploy, secure, and manage Windows clients in an education environment. +brand: windows metadata: - title: Windows for Education documentation - description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune - ms.topic: landing-page + ms.topic: hub-page ms.prod: windows-client ms.technology: itpro-edu ms.collection: - - education - - highpri - - tier1 + - education + - highpri + - tier1 author: paolomatarazzo ms.author: paoloma - ms.date: 03/09/2023 manager: aaroncz + ms.date: 07/28/2023 -landingContent: +highlightedContent: + items: + - title: Get started with Windows 11 + itemType: get-started + url: /windows/whats-new/windows-11-overview + - title: Windows 11, version 22H2 + itemType: whats-new + url: /windows/whats-new/whats-new-windows-11-version-22H2 + - title: Windows 11, version 22H2 group policy settings reference + itemType: download + url: https://www.microsoft.com/en-us/download/details.aspx?id=104594 + - title: Windows release health + itemType: whats-new + url: /windows/release-health + - title: Windows commercial licensing + itemType: overview + url: /windows/whats-new/windows-licensing + - title: Windows 365 documentation + itemType: overview + url: /windows-365 + - title: Explore all Windows trainings and learning paths for IT pros + itemType: learn + url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator + - title: Enroll Windows client devices in Microsoft Intune + itemType: how-to-guide + url: /mem/intune/fundamentals/deployment-guide-enrollment-windows - - title: Get started - linkLists: - - linkListType: tutorial - links: - - text: Deploy and manage Windows devices in a school - url: tutorial-school-deployment/index.md - - text: Prepare your tenant - url: tutorial-school-deployment/set-up-azure-ad.md - - text: Configure settings and applications with Microsoft Intune - url: tutorial-school-deployment/configure-devices-overview.md - - text: Manage devices with Microsoft Intune - url: tutorial-school-deployment/manage-overview.md - - text: Management functionalities for Surface devices - url: tutorial-school-deployment/manage-surface-devices.md +productDirectory: + title: Get started + items: - - title: Learn about Windows 11 SE - linkLists: - - linkListType: concept - links: - - text: What is Windows 11 SE? - url: windows-11-se-overview.md - - text: Windows 11 SE settings - url: windows-11-se-settings-list.md - - linkListType: whats-new - links: - - text: Configure federated sign-in - url: federated-sign-in.md - - text: Configure education themes - url: edu-themes.md - - text: Configure Stickers - url: edu-stickers.md - - linkListType: video - links: - - text: Deploy Windows 11 SE using Set up School PCs - url: https://www.youtube.com/watch?v=Ql2fbiOop7c + - title: Hardware security + imageSrc: /media/common/i_usb.svg + links: + - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + text: Trusted Platform Module + - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + text: Microsoft Pluton + - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + text: Windows Defender System Guard + - url: /windows-hardware/design/device-experiences/oem-vbs + text: Virtualization-based security (VBS) + - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 + text: Secured-core PC + - url: /windows/security/hardware-security + text: Learn more about hardware security > - - title: Deploy devices with Set up School PCs - linkLists: - - linkListType: concept - links: - - text: What is Set up School PCs? - url: set-up-school-pcs-technical.md - - linkListType: how-to-guide - links: - - text: Use the Set up School PCs app - url: use-set-up-school-pcs-app.md - - linkListType: reference - links: - - text: Provisioning package settings - url: set-up-school-pcs-provisioning-package.md - - linkListType: video - links: - - text: Use the Set up School PCs App - url: https://www.youtube.com/watch?v=2ZLup_-PhkA + - title: OS security + imageSrc: /media/common/i_threat-protection.svg + links: + - url: /windows/security/operating-system-security + text: Trusted boot + - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center + text: Windows security settings + - url: /windows/security/operating-system-security/data-protection/bitlocker/ + text: BitLocker + - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines + text: Windows security baselines + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + text: MMicrosoft Defender SmartScreen + - url: /windows/security/operating-system-security + text: Learn more about OS security > - - title: Configure devices - linkLists: - - linkListType: concept - links: - - text: Take tests and assessments in Windows - url: take-tests-in-windows.md - - text: Considerations for shared and guest devices - url: /windows/configuration/shared-devices-concepts?context=/education/context/context - - text: Change Windows editions - url: change-home-to-edu.md - - linkListType: how-to-guide - links: - - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md - - text: Configure Shared PC - url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: Get and deploy Minecraft Education - url: get-minecraft-for-education.md \ No newline at end of file + - title: Identity protection + imageSrc: /media/common/i_identity-protection.svg + links: + - url: /windows/security/identity-protection/hello-for-business + text: Windows Hello for Business + - url: /windows/security/identity-protection/credential-guard + text: Credential Guard + - url: /windows-server/identity/laps/laps-overview + text: Windows LAPS (Local Administrator Password Solution) + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection + text: Enhanced phishing protection with SmartScreen + - url: /education/windows/federated-sign-in + text: Federated sign-in (EDU) + - url: /windows/security/identity-protection + text: Learn more about identity protection > + + - title: Application security + imageSrc: /media/common/i_queries.svg + links: + - url: /windows/security/application-security/application-control/windows-defender-application-control/ + text: Windows Defender Application Control (WDAC) + - url: /windows/security/application-security/application-control/user-account-control + text: User Account Control (UAC) + - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules + text: Microsoft vulnerable driver blocklist + - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + text: Microsoft Defender Application Guard (MDAG) + - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + text: Windows Sandbox + - url: /windows/security/application-security + text: Learn more about application security > + + - title: Security foundations + imageSrc: /media/common/i_build.svg + links: + - url: /windows/security/security-foundations/certification/fips-140-validation + text: FIPS 140-2 validation + - url: /windows/security/security-foundations/certification/windows-platform-common-criteria + text: Common Criteria Certifications + - url: /windows/security/security-foundations/msft-security-dev-lifecycle + text: Microsoft Security Development Lifecycle (SDL) + - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview + text: Microsoft Windows Insider Preview bounty program + - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + text: OneFuzz service + - url: /windows/security/security-foundations + text: Learn more about security foundations > + + - title: Cloud security + imageSrc: /media/common/i_cloud-security.svg + links: + - url: /mem/intune/protect/security-baselines + text: Security baselines with Intune + - url: /windows/deployment/windows-autopatch + text: Windows Autopatch + - url: /windows/deployment/windows-autopilot + text: Windows Autopilot + - url: /universal-print + text: Universal Print + - url: /windows/client-management/mdm/remotewipe-csp + text: Remote wipe + - url: /windows/security/cloud-security + text: Learn more about cloud security > + +additionalContent: + sections: + - title: More Windows resources + items: + + - title: Windows Server + links: + - text: Windows Server documentation + url: /windows-server + - text: What's new in Windows Server 2022? + url: /windows-server/get-started/whats-new-in-windows-server-2022 + - text: Windows Server blog + url: https://cloudblogs.microsoft.com/windowsserver/ + + - title: Windows product site and blogs + links: + - text: Find out how Windows enables your business to do more + url: https://www.microsoft.com/microsoft-365/windows + - text: Windows blogs + url: https://blogs.windows.com/ + - text: Windows IT Pro blog + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog + - text: Microsoft Intune blog + url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog + - text: "Windows help & learning: end-user documentation" + url: https://support.microsoft.com/windows + + - title: Participate in the community + links: + - text: Windows community + url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 + - text: Microsoft Intune community + url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune + - text: Microsoft Support community + url: https://answers.microsoft.com/windows/forum \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 8ba0185e3d..98999d7cc0 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -1,7 +1,7 @@ --- title: Azure AD Join with Set up School PCs app description: Learn how Azure AD Join is configured in the Set up School PCs app. -ms.topic: article +ms.topic: reference ms.date: 08/10/2022 appliesto: - ✅ Windows 10 diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 58b9ae8063..12ea6880b4 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -1,7 +1,7 @@ --- title: What's in Set up School PCs provisioning package -description: List of the provisioning package settings that are configured in the Set up School PCs app. -ms.date: 08/10/2022 +description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app. +ms.date: 06/02/2023 ms.topic: reference appliesto: - ✅ Windows 10 @@ -11,115 +11,122 @@ appliesto: The Set up School PCs app builds a specialized provisioning package with school-optimized settings. -A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article. +A key feature of the provisioning package is SharedPC mode. To learn about the technical framework of SharedPC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article. ## Shared PC Mode policies -This table outlines the policies applied to devices in shared PC mode. If you select to optimize a device for use by a single student, you'll see differences in the following policies: -* Disk level deletion -* Inactive threshold -* Restrict local storage + +The following table outlines the policies applied to devices in SharedPC mode. If you select to optimize a device for use by a single student, you find differences in the policies applied: + +- Disk level deletion +- Inactive threshold +- Restrict local storage In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). -|Policy name|Default value|Description| -|---------|---------|---------| -|Enable Shared PC mode|True| Configures the PCs so they're in shared PC mode.| -|Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | -|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | -|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. | -|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | -|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and doesn't delete accounts. | -|Enable account manager | True | Enables automatic account management. | -|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. -|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | -|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | -|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | -|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | -|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| -|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | -|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | -|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | +| Policy name | Default value | Description | +|--|--|--| +| Enable Shared PC mode | True | Configures the PCs so they're in shared PC mode. | +| Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | +| Account Model | Only guest, Domain-joined only, or Domain-joined and guest | Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined enables any user in the domain to sign in. Specifying the guest option adds the Guest option to the sign-in screen and enable anonymous guest access to the PC. | +| Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold starts deleting accounts when available disk space falls below the threshold you set for disk level deletion. It stops deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. | +| Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | +| Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. | +| Enable account manager | True | Enables automatic account management. | +| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. | +| Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | +| Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | +| Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | +| Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | +| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | +| Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | +| Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | +| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | -## MDM and local group policies -This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. +## MDM and local group policies + +This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. +| Policy name | Default value | Description | +|--|--|--| +| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. | +| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | +| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. | +| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | +| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | +| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | +| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | +| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | +| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | +| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | +| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | +| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode | +| Allow Cortana | Disabled | Cortana isn't allowed on the device. | +| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. | +| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. | +| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | +| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | +| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | +| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | +| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | +| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | +| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | +| Personalization | Lock screen image URL | Image filename | +| Update | Active hours end | 5 PM | +| Update | Active hours start | 7 AM | +| Updates Windows | Nightly | Sets Windows to update on a nightly basis. | -| Policy name | Default value | Description | -|-------------------------------------------------------------|--------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. | -| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | -| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. | -| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | -| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | -| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | -| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | -| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | -| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | -| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | -| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | -| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode | -| Allow Cortana | Disabled | Cortana isn't allowed on the device. | -| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. | -| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. | -| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | -| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | -| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | -| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | -| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | -| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | -| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | -| Personalization | Lock screen image URL | Image filename | -| Update | Active hours end | 5 PM | -| Update | Active hours start | 7 AM | -| Updates Windows | Nightly | Sets Windows to update on a nightly basis. | +## Apps uninstalled from Windows devices -## Apps uninstalled from Windows 10 devices -Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include: +Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are: +- Mixed Reality Viewer +- Weather +- Desktop App Installer +- Tips +- Messaging +- My Office +- Microsoft Solitaire Collection +- Mobile Plans +- Feedback Hub +- Xbox +- Mail/Calendar +- Skype -* Mixed Reality Viewer -* Weather -* Desktop App Installer -* Tips -* Messaging -* My Office -* Microsoft Solitaire Collection -* Mobile Plans -* Feedback Hub -* Xbox -* Mail/Calendar -* Skype +## Apps installed on Windows devices -## Apps installed on Windows 10 devices -Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: -* OneDrive -* OneNote -* Sway +Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. The following apps are installed: + +- OneDrive +- OneNote +- Sway ## Provisioning time estimates + The time it takes to install a package on a device depends on the: -* Strength of network connection -* Number of policies and apps within the package -* Other configurations made to the device +- Strength of network connection +- Number of policies and apps within the package +- Other configurations made to the device -Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision. -|Configurations |Connection type |Estimated provisioning time | -|---------|---------|---------| -|Default settings only | Wi-Fi | 3 to 5 minutes | -|Default settings + apps | Wi-Fi | 10 to 15 minutes | -|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes | -|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | +| Configurations | Connection type | Estimated provisioning time | +|--|--|--| +| Default settings only | Wi-Fi | 3 to 5 minutes | +| Default settings + apps | Wi-Fi | 10 to 15 minutes | +| Default settings + remove preinstalled apps (CleanPC) | Wi-Fi | 60 minutes | +| Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) +## Next steps -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file +Learn more about setting up devices with the Set up School PCs app. + +- [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +- [Set up School PCs technical reference](set-up-school-pcs-technical.md) +- [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 28907160cb..f888895674 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,7 +1,7 @@ --- title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. -ms.topic: conceptual +ms.topic: overview ms.date: 08/10/2022 appliesto: - ✅ Windows 10 diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index 2b46d073f5..97988171bf 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -3,8 +3,6 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. ms.topic: whats-new ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 and later --- # What's new in Set up School PCs diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 61f6b28d77..1193a202d9 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -1,7 +1,7 @@ --- title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. -ms.topic: article +ms.topic: overview ms.date: 08/10/2022 appliesto: - ✅ Windows 10 @@ -9,11 +9,12 @@ appliesto: # Set up Windows devices for education -You have two tools to choose from to set up PCs for your classroom: -* Set up School PCs -* Windows Configuration Designer +You have two tools to choose from to set up PCs for your classroom: -Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). +- Set up School PCs +- Windows Configuration Designer + +Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). You can use the following diagram to compare the tools. @@ -29,4 +30,4 @@ You can use the following diagram to compare the tools. ## Related topics [Take tests in Windows](take-tests-in-windows.md) -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) \ No newline at end of file +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S \ No newline at end of file diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index daab02821c..da1540090d 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,10 +1,8 @@ --- title: Take a Test app technical reference description: List of policies and settings applied by the Take a Test app. -ms.date: 09/30/2022 +ms.date: 03/31/2023 ms.topic: reference -appliesto: - - ✅ Windows 10 and later --- # Take a Test app technical reference diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 1eea480188..d9663d6d32 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -1,10 +1,8 @@ --- title: Take tests and assessments in Windows description: Learn about the built-in Take a Test app for Windows and how to use it. -ms.date: 09/30/2022 -ms.topic: conceptual -appliesto: - - ✅ Windows 10 and later +ms.date: 03/31/2023 +ms.topic: how-to --- # Take tests and assessments in Windows diff --git a/education/windows/TOC.yml b/education/windows/toc.yml similarity index 97% rename from education/windows/TOC.yml rename to education/windows/toc.yml index 69693b6fdf..d12a3eb854 100644 --- a/education/windows/TOC.yml +++ b/education/windows/toc.yml @@ -6,6 +6,8 @@ items: items: - name: Deploy and manage Windows devices in a school href: tutorial-school-deployment/toc.yml + - name: Deploy applications to Windows 11 SE + href: tutorial-deploy-apps-winse/toc.yml - name: Concepts items: - name: Windows 11 SE diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md new file mode 100644 index 0000000000..73d202a202 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/considerations.md @@ -0,0 +1,53 @@ +--- +title: Important considerations before deploying apps with managed installer +description: Learn about important aspects to consider before deploying apps with managed installer. +ms.date: 06/19/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + +# Important considerations before deploying apps with Managed Installer + +This article describes important aspects to consider before deploying apps with managed installer. + +## Existing apps deployed in Intune + +If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the *managed installer* mark. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run. + +## Enrollment Status Page + +The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the Windows 11 SE base policy, devices can be blocked from completing enrollment if: + +1. You have the ESP configured to block device use until required apps are installed, and +2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies + + +If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation. + +:::image type="content" source="./images/esp-error.png" alt-text="Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false"::: + +### ESP errors mitigation + +To ensure that you don't run into installation or enrollment blocks, you can pick one of the following options, in accordance with your internal policies: + +1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, have the corresponding supplemental policy to allow them +2. Don't deploy apps that you haven't validated +3. Set your Enrollment Status Page configuration to not block device use based on required apps + +To learn more about the ESP, see [Set up the Enrollment Status Page][MEM-1]. + +## Potential impact to events collected by Log Analytics integrations + +Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE devices enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy. + +If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to: + +- Ensure there's an appropriate data collection cap in place to avoid unexpected billing costs +- Turn off the collection of non-error AppLocker events in Log Analytics, except for MSI and Script logs + +For more information, see [Use Event Viewer with AppLocker][WIN-1] + +[MEM-1]: /mem/intune/enrollment/windows-enrollment-status +[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md new file mode 100644 index 0000000000..8841f736bd --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md @@ -0,0 +1,210 @@ +--- +title: Create policies to enable applications +description: Learn how to create policies to enable the installation and execution of apps on Windows SE. +ms.date: 06/19/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + +# Create policies to enable applications + +:::row::: + :::column span=""::: +
+ [**Deploy an application via Microsoft Intune**](deploy-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Validate the application**](validate-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Create additional policies (optional)**](create-policies.md) + :::column-end::: +:::row-end::: + + +You can create AppLocker policies to allow apps that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer to run. + + + +## AppLocker policies + +Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run. + +To allow apps to run by setting their installers as managed installers, follow the guidance here: + +- [Edit an AppLocker policy][WIN-5] +- [Allow apps deployed with a WDAC managed installer][WIN-6] + +## Next steps + + + +Advance to the next article to learn how to deploy the AppLocker policies to Windows 11 SE devices. + +> [!div class="nextstepaction"] +> [Next: deploy policies >](deploy-policies.md) + +[EXT-1]: https://webapp-wdac-wizard.azurewebsites.net/ +[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/types-of-devices +[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy +[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies +[WIN-5]: /windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy +[WIN-6]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md new file mode 100644 index 0000000000..bc3bd28004 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md @@ -0,0 +1,109 @@ +--- +title: Applications deployment considerations +description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them. +ms.date: 05/23/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + +# Applications deployment considerations + +:::row::: + :::column span=""::: +
+ [**Deploy an application via Microsoft Intune**](deploy-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Validate the application**](validate-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Create additional policies (optional)**](create-policies.md) + :::column-end::: +:::row-end::: + +The process to deploy applications to Windows SE devices via Microsoft Intune is the same used for non-SE devices. Applications must be defined in Intune, and then assigned to the correct groups.\ +However, on Windows SE devices, apps may successfully install, but they need validation to be certain that they're functional. + +The following table provides an overview of the applications types that can be deployed to Windows devices via Intune, and considerations about the installation on Windows SE: + +|**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**| +|-|-|-|-| +|[Win32][WIN-1]|`.exe`
`.msi`|- Intune Management Extension (IME)
- Microsoft Store integration|⚠️ There are known limitations that might prevent an app to install or run.| +|[Universal Windows Platform (UWP)][WIN-2]|`.appx`
`.appxbundle`
`.msix`
|- For public apps: Microsoft Store integration
- For private apps: line-of-business (LOB) apps|⛔ UWP apps are currently unsupported.| +|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies
- Microsoft Store integration|✅ PWAs are supported.| +|Web links| n/a |- Windows web links|✅ Web links are supported.| + + + +> [!IMPORTANT] +> Store apps must be installed in device context. Deploying apps in user context fails with error code `0x800711C7`. + +> [!IMPORTANT] +> Although you'll be able to install apps on Windows 11 SE devices via Intune, some apps may not perform well on these devices due those apps' minimum spec requirements. +> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices, and ensure that they meet the requirements. + +## Win32 apps + +The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. + +> [!IMPORTANT] +> If you have Windows 11 SE devices that already have apps deployed through Intune, the apps will not get retroactively tagged with the *managed installer* mark. The reason is to avoid making any security assumptions for these apps. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run. + +There are known limitations that might prevent applications to install or execute. For more information, see the next section [validate applications](validate-apps.md). + +## UWP apps + +UWP apps are currently unsupported for Windows 11 SE. + + +## PWA apps + +PWAs can be deployed using the [Force-installed web Apps][EDGE-1] option via [settings catalog policies][MEM-3], or using the Microsoft Store integration with Intune. + +## Web links + +Web link can be deployed via Intune using [Windows web links][MEM-4], and will be available in the Start menu of the targeted devices. + +## Section review + +Before moving on to the next section, ensure that you've completed the following tasks: + +> [!div class="checklist"] +> - `.intunewin` package created (for Win32 apps) +> - App uploaded via Intune (for Win32 and UWP LOB apps) +> - App assigned to the correct groups + +## Next steps + +Advance to the next article to learn how to validate the applications deployed to Windows 11 SE devices. + +> [!div class="nextstepaction"] +> [Next: validate apps >](validate-apps.md) + +[EDGE-1]: /deployedge/microsoft-edge-policies#configure-list-of-force-installed-web-apps +[EDGE-2]: /microsoft-edge/progressive-web-apps-chromium +[MEM-1]: /mem/intune/apps/apps-win32-add +[MEM-2]: /mem/intune/apps/lob-apps-windows +[MEM-3]: /mem/intune/configuration/settings-catalog +[MEM-4]: /mem/intune/apps/web-app +[WIN-1]: /windows/win32 +[WIN-2]: /windows/uwp/get-started/universal-application-platform-guide \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md new file mode 100644 index 0000000000..330d85b61e --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md @@ -0,0 +1,96 @@ +--- +title: Deploy policies to enable applications +description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices. +ms.date: 05/23/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + + + +# Deploy policies to enable applications + +Once the policies are created, you must deploy them to the Windows SE devices.\ +AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices. + + + +## Deploy AppLocker policies + +Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune. + +You can create a PowerShell script that stores the contents of the policy in a variable, then use the `Set-AppLockerPolicy` PowerShell command to merge it. Here's a sample function for the task: + +```PowerShell +function MergeAppLockerPolicy([string]$policyXml) +{ + $policyFile = '.\AppLockerPolicy.xml' + $policyXml | Out-File $policyFile + Write-Host "Merging and setting AppLocker policy" + Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + Remove-Item $policyFile +} +``` + +> [!WARNING] +> Intune deploys a script with the AppLocker policy to set **Intune Management Extension as a managed installer** on all Windows 11 SE devices enrolled into an Intune EDU tenant. If you want to deploy your own AppLocker policy to set another Managed Installer (in addition to Intune), be sure to use the `-Merge` parameter with `Set-AppLockerPolicy`. The `-Merge` parameter ensures that your policy plays well with Intune's AppLocker policy. Without using the `-Merge` parameter, it will result in issues with apps not getting tagged properly and their ability to run on impacted devices. To learn more about AppLocker Merge policy, see [Merge AppLocker policies][WIN-7]. + +Once finished, you can deploy the script via Intune. For more information, see [Add PowerShell scripts to Windows devices in Microsoft Intune][MEM-1]. + +### Troubleshoot AppLocker policies + +For information how to validate and troubleshoot AppLocker policies, see [AppLocker policy validation](./troubleshoot.md#applocker-policy-validation) + +## Next steps + + + +Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices. + +> [!div class="nextstepaction"] +> +> [Next: important deployment considerations >](considerations.md) + +[MEM-1]: /mem/intune/apps/intune-management-extension +[WIN-4]: /windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune +[WIN-7]: /windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy diff --git a/education/windows/tutorial-deploy-apps-winse/images/applocker-export-policy.png b/education/windows/tutorial-deploy-apps-winse/images/applocker-export-policy.png new file mode 100644 index 0000000000..593b5fe843 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/applocker-export-policy.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/applocker-policy-validation.png b/education/windows/tutorial-deploy-apps-winse/images/applocker-policy-validation.png new file mode 100644 index 0000000000..79c0de6d18 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/applocker-policy-validation.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/esp-error.png b/education/windows/tutorial-deploy-apps-winse/images/esp-error.png new file mode 100644 index 0000000000..84d7475234 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/esp-error.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-overview.png b/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-overview.png new file mode 100644 index 0000000000..28423c67cc Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-overview.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-status.png b/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-status.png new file mode 100644 index 0000000000..df76fdd426 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/intune-app-install-status.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-1-off.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-1-off.svg new file mode 100644 index 0000000000..0f7589f26c --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-1-off.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-1-on.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-1-on.svg new file mode 100644 index 0000000000..809883ba90 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-1-on.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-2-off.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-2-off.svg new file mode 100644 index 0000000000..287693b1c3 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-2-off.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-2-on.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-2-on.svg new file mode 100644 index 0000000000..15ee719743 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-2-on.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-3-off.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-3-off.svg new file mode 100644 index 0000000000..4bbf64a04f --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-3-off.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/phase-3-on.svg b/education/windows/tutorial-deploy-apps-winse/images/phase-3-on.svg new file mode 100644 index 0000000000..eda21828f7 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/images/phase-3-on.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-citool.png b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-citool.png new file mode 100644 index 0000000000..ad1e808762 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-citool.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-codeintegrity-log.png b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-codeintegrity-log.png new file mode 100644 index 0000000000..f4417060ee Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-codeintegrity-log.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-managed-installer-policy.png b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-managed-installer-policy.png new file mode 100644 index 0000000000..64f8c88057 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/troubleshoot-managed-installer-policy.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/wdac-uwp-policy.png b/education/windows/tutorial-deploy-apps-winse/images/wdac-uwp-policy.png new file mode 100644 index 0000000000..d98bd04870 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/wdac-uwp-policy.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/wdac-winsepolicy.png b/education/windows/tutorial-deploy-apps-winse/images/wdac-winsepolicy.png new file mode 100644 index 0000000000..0b59e2c5bb Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/wdac-winsepolicy.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/winse-app-block.png b/education/windows/tutorial-deploy-apps-winse/images/winse-app-block.png new file mode 100644 index 0000000000..6360567245 Binary files /dev/null and b/education/windows/tutorial-deploy-apps-winse/images/winse-app-block.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md new file mode 100644 index 0000000000..ff7cce6a5f --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -0,0 +1,85 @@ +--- +title: Deploy applications to Windows 11 SE with Intune +description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps. +ms.date: 06/07/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + +# Tutorial: deploy applications to Windows 11 SE with Intune + +This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended. + +## Windows 11 SE and application deployment + +Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*. + +WDAC applies an *allowlist* policy called *Windows 11 SE base policy*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the Windows 11 SE base policy. + +With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy. + +Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*. + +As a managed installer, applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2] + +> [!NOTE] +> End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked. Only IT admins can control what apps are allowed. + +## Tutorial objectives + +Even when using managed installer, some applications may not execute due to their type or complexity. In these scenarios, the IT admin must create their own policies that allow the apps execution.\ +The policies can then be deployed to the Windows SE devices via Intune. + +In this tutorial you'll learn: + +- Which types of apps can be deployed via Intune to Windows 11 SE devices +- How to verify that the apps are installed correctly +- How to mitigate app installation issues +- Special considerations when deploying apps to Windows 11 SE + +## Installation process + +There are three main steps to install an application on Windows 11 SE using the managed installer. Each step will be covered in detail in the next sections of this tutorial: + +:::row::: + :::column span=""::: +
+ [**Deploy an application via Microsoft Intune**](deploy-apps.md)
+ Applications are deployed via Microsoft Intune. There are some restrictions on the types of apps that are compatible with managed installers, but the process is the same used for non-Windows 11 SE devices + :::column-end::: + :::column span=""::: +
+ [**Validate the application**](validate-apps.md)
+ Applications are validated to ensure that they're installed and execute successfully. The process is the same for non-Windows 11 SE devices. Some applications may be incompatible due to how they're installed, how they execute, or how they update. You'll learn about known limitations in a later section of the tutorial + :::column-end::: + :::column span=""::: +
+ [**Create additional policies (optional)**](create-policies.md)
+ To allow apps that aren't installable or don't behave as intended, more policies can be created and deployed so that the apps can be used + :::column-end::: +:::row-end::: + +All the steps are done by the IT administrator. Once the steps are complete, users of Windows 11 SE devices should be able to run the applications deployed via Intune. + +## Prerequisites + +To receive policies on your Windows 11 SE devices, allowing app installation from Intune, you must have: + +- Windows 11 SE, version 22H2 with [KB5019980][KB-1] and later +- Intune for Education licenses. The license requirement is for the managed installer to deploy apps and supplemental policies via Intune + +If you don't have an Intune for Education license for your devices yet, refer to [Microsoft Intune for Education][EXT-1] for access to a free trial version. + +## Next steps + +Advance to the next article to learn which applications can be deployed to Windows 11 SE devices, and how to deploy them via Intune. + +> [!div class="nextstepaction"] +> [Next: deploy apps >](deploy-apps.md) + +[KB-1]: https://support.microsoft.com/kb/5019980 +[EDU-1]: /education/windows/windows-11-se-overview#add-your-own-applications +[EXT-1]: https://www.microsoft.com/en-us/education/intune +[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create +[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#how-does-a-managed-installer-work \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/toc.yml b/education/windows/tutorial-deploy-apps-winse/toc.yml new file mode 100644 index 0000000000..62d09273a0 --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/toc.yml @@ -0,0 +1,17 @@ +items: + - name: Introduction + href: index.md + - name: 1. Deploy apps + href: deploy-apps.md + - name: 2. Validate apps + href: validate-apps.md + - name: 3. Create and deploy policies to allow apps + items: + - name: Create policies + href: create-policies.md + - name: Deploy policies + href: deploy-policies.md + - name: Important app deployment considerations + href: considerations.md + - name: Troubleshoot common issues + href: troubleshoot.md \ No newline at end of file diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md new file mode 100644 index 0000000000..631b12b06e --- /dev/null +++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md @@ -0,0 +1,109 @@ +--- +title: Troubleshoot app deployment issues in Windows SE +description: Troubleshoot common issues when deploying apps to Windows SE devices. +ms.date: 06/19/2023 +ms.topic: tutorial +appliesto: + - ✅ Windows 11 SE, version 22H2 and later +--- + +# Troubleshoot app deployment issues in Windows SE + +The following table lists common app deployment issues on Windows 11 SE, and options to resolve them: + +| **Problem** | **Potential solution** | +|---|---| +| **App hasn't installed** |
- Win32 apps should be able to install with no problem
- UWP LOB apps apps aren't supported
Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. | +| **My supplemental policy hasn't deployed** |
+ [**Deploy an application via Microsoft Intune**](deploy-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Validate the application**](validate-apps.md) + :::column-end::: + :::column span=""::: +
+ [**Create additional policies (optional)**](create-policies.md) + :::column-end::: +:::row-end::: + +A fundamental step in deploying apps to Windows 11 SE devices is to validate that the apps work as expected. + +Application validation consists of the following steps: + +1. Wait for the application to install +1. Verify that the app installed successfully +1. Open the app and exercise all user workflows +1. Inspect the app and take note of any potential problems + +> [!NOTE] +> Apps must be validated on a case-by-case basis. A successful installation doesn't mean that the app will run properly. A successful execution of the app, doesn't mean it will *always* run properly. + +## Wait for the application to install + +Application installation depends on two factors: + +- When the managed installer policies are applied to the device. These policies are automatically applied to Windows SE devices when they are enrolled in Intune +- When the apps are deployed to a device + +> [!IMPORTANT] +> The Intune management extension agent checks every hour (or on service or device restart) for any new Win32 app assignments. + +If the Windows 11 SE base policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices. + +## Check for installation + +There are two ways to verify that an app installed successfully: + +- Intune portal +- On the device + +Both options are worth checking. Installation in Intune can be used to check the installation status remotely and to ensure that the installation detection rules are configured correctly. Checking on the device can indicate if the app installed and if it runs properly. + +### Check for installation from Intune + +To check the installation status of an app from the Intune portal: + +1. Sign in to the Microsoft Intune admin center +1. Select **App > All apps** +1. Select the application you want to check +1. From the **Overview** page, you can verify the overall installation status + + :::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png"::: + +1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure + + :::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png"::: + +> [!NOTE] +> A Win32 application may install correctly, but report to Intune as failed.\ +> A Win32 app may also fail to install, but report as installed to Intune. +> +> In both cases, the issue may be in the detection rules defined in Intune, which must be configured correctly to detect the installation of the app. + +### Check for installation on the device + +On a Windows SE device, open the **Settings** app and select **Apps** > **Installed apps**. You can see the list of installed apps and validate that your targeted app is listed. + +Another way to validate that the app has installed is to check its installation directory. The path is usually `C:\Program Files` or `C:\Program Files (x86)`, but can vary from app to app. + +Lastly, launch the app to ensure that it has installed correctly. + +## Check for compatibility + +Checking for compatibility often means to execute the app and verify its functionalities. Here are some things to try while testing the behavior of your app: + +- Open the app +- Test the core functionality and common user scenarios. Exercise a common workflow that a user would do with the app +- Force an update of the app + +Here are things to pay attention to: + +- Know how the apps you deploy are updated, and if they offer controls for automatic updates +- Dialogs may pop up during the app use, indicating that something is blocked +- Multiple apps are installed, especially if one app appears to be a launcher/updater. For example, Adobe Photoshop includes the Adobe Creative Cloud launcher, which updates Photoshop and other apps +- Any messages indicating that the app is doing pre-installation work or downloading more content +- Logs in the Event Viewer + +### Compatible apps + +If an app appears to be functioning correctly without being blocked, it's likely compatible with managed installer installation. +However, just because an app works initially doesn't mean it will *always* work. Self-updates or separate launchers/clients may update the apps. + +### Semi-compatible apps + +Semi-compatible apps may run without problems initially, but in the future they can be restricted to run after it self-updates or another installer/updater app installs over it. + +### Incompatible apps + +Incompatible apps may launch initially, but immediately begin to download more resources.\ +These apps are eventually blocked before any of their functionalities can be accessed. Or, these apps may not launch due to a dependent file blocked by the Windows 11 SE base policy. + +### Visual error notifications + +You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application. + +:::image type="content" source="images/winse-app-block.png" alt-text="Screenshot of Windows SE - error window while opening an app."::: + +### Event Viewer + +More detail can be obtained when looking for events indicating blocked executables in the Event Viewer.\ +The event logs are: + +- **CodeIntegrity > Operational** +- **AppLocker > MSI and Script** + +For more information, see the [Troubleshoot](troubleshoot.md) section. + +## Known limitations + +Not all apps are compatible with managed installers, even after installation. + +To learn about known limitations with apps deployed via a managed installer, see [Known limitations with managed installer][WIN-1]. + + + +## Section review + +Before moving on to the next section, ensure that you've completed the following tasks: + +> [!div class="checklist"] +> - Verified any installation errors from Intune +> - Verified the app installation on the device +> - Checked for any errors when opening the app from the device +> - Checked for any errors in the Event Viewer + +## Next steps + +Select one of the following options to learn the next steps: + + +- If the apps don't work as expected, you must create and deploy AppLocker policies to allow the apps to run + > [!div class="nextstepaction"] + > [Next: Create policies>](create-policies.md) +- If the applications you are deploying don't have any issues, you can skip to important considerations when deploying apps and policies + > [!div class="nextstepaction"] + > [Next: Important deployment considerations>](considerations.md) + +[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education + +[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#known-limitations-with-managed-installer +[WIN-2]: /windows/msix/ +[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md index 89eb913446..ef1e695396 100644 --- a/education/windows/tutorial-school-deployment/configure-device-apps.md +++ b/education/windows/tutorial-school-deployment/configure-device-apps.md @@ -1,10 +1,8 @@ --- title: Configure applications with Microsoft Intune description: Learn how to configure applications with Microsoft Intune in preparation for device deployment. -ms.date: 08/31/2022 +ms.date: 03/08/2023 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Configure applications with Microsoft Intune @@ -56,21 +54,10 @@ To assign applications to a group of users or devices: ## Considerations for Windows 11 SE -Windows 11 SE supports all web applications and a *curated list* of desktop applications. -You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1]. +Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC). +WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy. -The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. - -> [!NOTE] -> If the applications you need aren't included in the list, anyone in your school district can submit an application request at Microsoft Education Support. - -> [!CAUTION] -> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state: -> - Be sure the app is on the [approved app list][EDU-1] -> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements -> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA - -________________________________________________________ +To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1]. ## Next steps @@ -81,7 +68,7 @@ With the applications configured, you can now deploy students' and teachers' dev -[EDU-1]: /education/windows/windows-11-se-overview +[EDU-1]: ../tutorial-deploy-apps-winse/index.md [MEM-1]: /mem/intune/apps/apps-win32-add diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index 5b63ea0b0b..f9d1d2046f 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -3,8 +3,6 @@ title: Configure and secure devices with Microsoft Intune description: Learn how to configure policies with Microsoft Intune in preparation for device deployment. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Configure and secure devices with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md index 60bc205647..075d9fe6d3 100644 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -3,8 +3,6 @@ title: Configure devices with Microsoft Intune description: Learn how to configure policies and applications in preparation for device deployment. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Configure settings and applications with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md index ddcb5d2bb8..1dc7d9beeb 100644 --- a/education/windows/tutorial-school-deployment/enroll-aadj.md +++ b/education/windows/tutorial-school-deployment/enroll-aadj.md @@ -3,8 +3,6 @@ title: Enrollment in Intune with standard out-of-box experience (OOBE) description: Learn how to join devices to Azure AD from OOBE and automatically get them enrolled in Intune. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Automatic Intune enrollment via Azure AD join diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index 32ff8c37ed..e8070b995b 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -1,10 +1,8 @@ --- title: Enrollment in Intune with Windows Autopilot description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot. -ms.date: 08/31/2022 +ms.date: 03/08/2023 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Windows Autopilot @@ -99,7 +97,7 @@ To deploy the ESP to devices, you need to create an ESP profile in Microsoft Int For more information, see [Set up the Enrollment Status Page][MEM-3]. > [!CAUTION] -> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [approved app list][EDU-1] should part of the ESP configuration. +> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3]. ### Autopilot end-user experience @@ -146,5 +144,6 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In [EDU-1]: /education/windows/windows-11-se-overview [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot +[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page [SURF-1]: /surface/surface-autopilot-registration-support \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index d816ed1b94..6537b7ea3a 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -3,8 +3,6 @@ title: Device enrollment overview description: Learn about the different options to enroll Windows devices in Microsoft Intune ms.date: 08/31/2022 ms.topic: overview -appliesto: - - ✅ Windows 10 and later --- # Device enrollment overview diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md index 9f96234636..e73ef21957 100644 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -3,8 +3,6 @@ title: Enrollment of Windows devices with provisioning packages description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Enrollment with provisioning packages diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index a23afe72b0..89577e6e9f 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -2,9 +2,7 @@ title: Introduction to the tutorial deploy and manage Windows devices in a school description: Introduction to deployment and management of Windows devices in education environments. ms.date: 08/31/2022 -ms.topic: conceptual -appliesto: - - ✅ Windows 10 and later +ms.topic: tutorial --- # Tutorial: deploy and manage Windows devices in a school diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md index 00559d4384..ff0997fad9 100644 --- a/education/windows/tutorial-school-deployment/manage-overview.md +++ b/education/windows/tutorial-school-deployment/manage-overview.md @@ -3,8 +3,6 @@ title: Manage devices with Microsoft Intune description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Manage devices with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md index b9a1f80094..488d2513f1 100644 --- a/education/windows/tutorial-school-deployment/reset-wipe.md +++ b/education/windows/tutorial-school-deployment/reset-wipe.md @@ -3,8 +3,6 @@ title: Reset and wipe Windows devices description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Device reset options diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md index 899b8298dd..6aaea36211 100644 --- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -3,6 +3,7 @@ title: Set up Azure Active Directory description: Learn how to create and prepare your Azure AD tenant for an education environment. ms.date: 08/31/2022 ms.topic: tutorial +appliesto: --- # Set up Azure Active Directory diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index 8d1b84254e..f55a5262c3 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -3,6 +3,7 @@ title: Set up device management description: Learn how to configure the Intune service and set up the environment for education. ms.date: 08/31/2022 ms.topic: tutorial +appliesto: --- # Set up Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md index a58a7f2d9a..5e27915802 100644 --- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -3,8 +3,6 @@ title: Troubleshoot Windows devices description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: - - ✅ Windows 10 and later --- # Troubleshoot Windows devices diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml index d03213a9d3..52fa4c5d69 100644 --- a/education/windows/windows-11-se-faq.yml +++ b/education/windows/windows-11-se-faq.yml @@ -33,6 +33,9 @@ sections: - question: Can I load Windows 11 SE on any hardware? answer: | Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - question: Can I PXE boot a Windows SE device? + answer: | + No, Secure Boot prevents Windows SE devices from booting via PXE. As a workaround, you can use a UEFI bootable USB device to boot the device. - name: Applications and settings questions: - question: How can I install applications on Windows 11 SE? diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f9adaaae34..e484296ed5 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,8 +1,8 @@ --- title: Windows 11 SE Overview description: Learn about Windows 11 SE, and the apps that are included with the operating system. -ms.topic: article -ms.date: 03/09/2023 +ms.topic: overview +ms.date: 08/03/2023 appliesto: - ✅ Windows 11 SE ms.collection: @@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o | --- | --- | :---: | ---| |Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| | Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | -|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.| -|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.| +|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.| +|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.| > [!IMPORTANT] -> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). +> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). ## Applications included in Windows 11 SE @@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the | Alarm & Clock | UWP | | | | Calculator | UWP | ✅ | | | Camera | UWP | ✅ | | -| Microsoft Edge | Win32 | ✅ | ✅ | -| Excel | Win32 | ✅ | | +| Microsoft Edge | `Win32` | ✅ | ✅ | +| Excel | `Win32` | ✅ | | | Feedback Hub | UWP | | | -| File Explorer | Win32 | | ✅ | +| File Explorer | `Win32` | | ✅ | | FlipGrid | PWA | | | | Get Help | UWP | | | | Media Player | UWP | ✅ | | @@ -61,106 +61,120 @@ The following table lists all the applications included in Windows 11 SE and the | Minecraft: Education Edition | UWP | | | | Movies & TV | UWP | | | | News | UWP | | | -| Notepad | Win32 | | | -| OneDrive | Win32 | | | -| OneNote | Win32 | ✅ | | +| Notepad | `Win32` | | | +| OneDrive | `Win32` | | | +| OneNote | `Win32` | ✅ | | | Outlook | PWA | ✅ | | -| Paint | Win32 | ✅ | | +| Paint | `Win32` | ✅ | | | Photos | UWP | | | -| PowerPoint | Win32 | ✅ | | +| PowerPoint | `Win32` | ✅ | | | Settings | UWP | ✅ | | | Snip & Sketch | UWP | | | | Sticky Notes | UWP | | | -| Teams | Win32 | ✅ | | +| Teams | `Win32` | ✅ | | | To Do | UWP | | | | Whiteboard | UWP | ✅ | | -| Word | Win32 | ✅ | | +| Word | `Win32` | ✅ | | ## Available applications -The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] +The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]. | Application | Supported version | App Type | Vendor | |-------------------------------------------|-------------------|----------|-------------------------------------------| -| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` | -| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` | -| `AirSecure` | 8.0.0 | Win32 | `AIR` | -| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` | -| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` | +| `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` | +| `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` | +| `AirSecure` | 8.0.0 | `Win32` | `AIR` | +| `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` | +| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | -| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` | -| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` | -| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` | -| `Class Policy` | 116.0.0 | Win32 | `Class Policy` | -| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | -| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | -| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | -| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | -| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | +| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` | +| `Cisco Umbrella` | 3.0.343.0 | `Win32` | `Cisco` | +| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` | +| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` | +| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` | +| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` | +| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` | +| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` | +| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` | +| `DigiExam` | 14.0.6 | `Win32` | `Digiexam` | +| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | -| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | -| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` | -| `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` | -| `Epson iProjection` | 3.31 | Win32 | `Epson` | -| `eTests` | 4.0.25 | Win32 | `CASAS` | -| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | -| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | -| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | -| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | -| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | -| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` | -| `GuideConnect` | 1.23 | Win32 | `Dolphin Computer Access` | -| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | -| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | -| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` | -| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` | -| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` | -| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` | -| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` | -| `Keyman` | 16.0.138 | Win32 | `SIL International` +| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` | +| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` | +| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` | +| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` | +| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` | +| `Epson iProjection` | 3.31 | `Win32` | `Epson` | +| `eTests` | 4.0.25 | `Win32` | `CASAS` | +| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` | +| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` | +| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` | +| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` | +| `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` | +| `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` | +| `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` | +| `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` | +| `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` | +| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` | +| `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` | +| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` | +| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` | +| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` | +| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` | +| `Keyman` | 16.0.138 | `Win32` | `SIL International` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | -| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` | -| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` | -| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` | -| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` | +| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` | +| `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` | +| `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` | +| `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` | +| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | -| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | -| `NAPLAN` | 2.5.0 | Win32 | `NAP` | -| `Netref Student` | 23.1.0 | Win32 | `NetRef` | -| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | -| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | -| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` | -| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` | -| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` | -| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` | -| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` | -| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` | -| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` | -| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` | -| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` | -| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` | -| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | -| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` | -| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | -| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | -| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | -| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | -| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | -| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | -| `WordQ` | 5.4.23 | Win32 | `WordQ` | -| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | -| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` | -| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` | +| `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` | +| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` | +| `NAPLAN` | 5.2.2 | `Win32` | `NAP` | +| `Netref Student` | 23.1.0 | `Win32` | `NetRef` | +| `NetSupport DNA` | 4.80.0000 | `Win32` | `NetSupport` | +| `NetSupport Manager` | 14.00.0012 | `Win32` | `NetSupport` | +| `NetSupport Notify` | 5.10.1.223 | `Win32` | `NetSupport` | +| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` | +| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` | +| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` | +| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` | +| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` | +| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` | +| `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` | +| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` | +| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` | +| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` | +| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` | +| `Remote Desktop client (MSRDC)` | 1.2.4240.0 | `Win32` | `Microsoft` | +| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` | +| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | +| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | +|`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` | +|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` | +| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` | +| `Skoolnext` | 2.19 | `Win32` | `Skool.net` | +| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` | +| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` | +| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` | +|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | +| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` | +| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` | +| `WordQ` | 5.4.29 | `Win32` | `WordQ` | +| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` | +| `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` | ## Add your own applications -If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. +If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. Microsoft reviews every app request to make sure each app meets the following requirements: -- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more +- Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more - Apps must be in one of the following app categories: - Content Filtering apps - Test Taking solutions diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 633ac67aa7..6536c45279 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -1,8 +1,8 @@ --- title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. -ms.topic: article -ms.date: 03/09/2023 +ms.topic: reference +ms.date: 08/18/2023 appliesto: - ✅ Windows 11 SE ms.collection: diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index f933dc3465..7c6ecca23b 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -1,30 +1,21 @@ --- title: Windows 10 editions for education customers description: Learn about the two Windows 10 editions that are designed for the needs of education institutions. -ms.topic: article -ms.date: 08/10/2022 +ms.topic: overview +ms.date: 07/25/2023 appliesto: - ✅ Windows 10 --- # Windows 10 editions for education customers -Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). +Windows 10 offers various new features and functionalities, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). -Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). - -Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. +Windows 10 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. ## Windows 10 Pro Education -Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). - -For Cortana[1](#footnote1): -- If you're using version 1607, Cortana is removed. -- If you're using new devices with version 1703 or later, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. - -You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). +Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future). @@ -38,13 +29,6 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). -For Cortana1: -- If you're using version 1607, Cortana1 is removed. -- If you're using new devices with version 1703 or later, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. - -You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). - Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628). Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment. @@ -52,14 +36,11 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us). ## Related topics + - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) - [Windows deployment for education](./index.yml) - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths) - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10) - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client) - [Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation) - - - - -1 Cortana available in select markets; experience may vary by region and device. \ No newline at end of file +- \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/images/group-policy.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg rename to images/group-policy.svg diff --git a/images/information.svg b/images/information.svg new file mode 100644 index 0000000000..bc692eabb9 --- /dev/null +++ b/images/information.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg b/images/intune.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg rename to images/intune.svg diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg b/images/windows-os.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg rename to images/windows-os.svg diff --git a/includes/ai-disclaimer-generic.md b/includes/ai-disclaimer-generic.md new file mode 100644 index 0000000000..0e190e0e38 --- /dev/null +++ b/includes/ai-disclaimer-generic.md @@ -0,0 +1,10 @@ +--- +author: aczechowski +ms.author: aaroncz +ms.date: 03/31/2023 +ms.topic: include +ms.prod: windows-client +--- + +> [!NOTE] +> This article was partially created with the help of artificial intelligence. Before publishing, an author reviewed and revised the content as needed. For more information, see [Our principles for using AI-generated content in Microsoft Learn](/azure/principles-for-ai-generated-content). diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md new file mode 100644 index 0000000000..d30e2cc685 --- /dev/null +++ b/includes/configure/gpo-settings-1.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings: \ No newline at end of file diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md new file mode 100644 index 0000000000..bf8ee52309 --- /dev/null +++ b/includes/configure/gpo-settings-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md similarity index 86% rename from education/windows/includes/intune-custom-settings-1.md rename to includes/configure/intune-custom-settings-1.md index 5be4cd1204..60125a46d1 100644 --- a/education/windows/includes/intune-custom-settings-1.md +++ b/includes/configure/intune-custom-settings-1.md @@ -1,8 +1,9 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 02/22/2022 +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- To configure devices with Microsoft Intune, use a custom policy: diff --git a/education/windows/includes/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md similarity index 72% rename from education/windows/includes/intune-custom-settings-2.md rename to includes/configure/intune-custom-settings-2.md index d623773324..03977b7a0d 100644 --- a/education/windows/includes/intune-custom-settings-2.md +++ b/includes/configure/intune-custom-settings-2.md @@ -1,8 +1,9 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 11/08/2022 +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- 7. Select **Next** diff --git a/education/windows/includes/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md similarity index 67% rename from education/windows/includes/intune-custom-settings-info.md rename to includes/configure/intune-custom-settings-info.md index a7376ee4ff..8f406cf058 100644 --- a/education/windows/includes/intune-custom-settings-info.md +++ b/includes/configure/intune-custom-settings-info.md @@ -1,8 +1,9 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 11/08/2022 +ms.date: 08/15/2023 ms.topic: include +ms.prod: windows-client --- For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md new file mode 100644 index 0000000000..d0b87a5b78 --- /dev/null +++ b/includes/configure/intune-settings-catalog-1.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md new file mode 100644 index 0000000000..287d5ebbf1 --- /dev/null +++ b/includes/configure/intune-settings-catalog-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md new file mode 100644 index 0000000000..951ca428e3 --- /dev/null +++ b/includes/configure/provisioning-package-1.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package): diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md new file mode 100644 index 0000000000..b600e58e47 --- /dev/null +++ b/includes/configure/provisioning-package-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure. diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md new file mode 100644 index 0000000000..a818e4df8b --- /dev/null +++ b/includes/configure/tab-intro.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. \ No newline at end of file diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md new file mode 100644 index 0000000000..fcb9271823 --- /dev/null +++ b/includes/licensing/_edition-requirements.md @@ -0,0 +1,91 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education | +|:---|:---:|:---:|:---:|:---:| +|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes| +|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes| +|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes| +|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes| +|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes| +|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes| +|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes| +|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes| +|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes| +|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes| +|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes| +|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes| +|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes| +|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|❌|Yes| +|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes| +|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes| +|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes| +|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes| +|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes| +|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes| +|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes| +|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes| +|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes| +|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes| +|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes| +|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes| +|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes| +|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes| +|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes| +|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes| +|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes| +|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes| +|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes| +|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes| +|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes| +|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes| +|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes| +|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes| +|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes| +|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes| +|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes| +|**Privacy Resource Usage**|Yes|Yes|Yes|Yes| +|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| +|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes| +|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes| +|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes| +|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes| +|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes| +|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes| +|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes| +|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| +|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes| +|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes| +|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes| +|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes| +|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes| +|**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes| +|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes| +|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes| +|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes| +|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes| +|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes| +|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes| +|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes| +|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| +|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes| +|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes| +|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes| +|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes| +|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes| +|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes| +|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes| +|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes| +|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md new file mode 100644 index 0000000000..fce70cbf8d --- /dev/null +++ b/includes/licensing/_licensing-requirements.md @@ -0,0 +1,91 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---|:---:|:---:|:---:|:---:|:---:| +|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes| +|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes| +|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|Yes| +|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes| +|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes| +|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes| +|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes| +|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes| +|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes| +|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes| +|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes| +|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes| +|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes| +|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|Yes|Yes|Yes| +|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes| +|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes| +|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|Yes| +|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes| +|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes| +|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes| +|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes| +|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes| +|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌| +|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes| +|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes| +|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes| +|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes| +|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes| +|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌| +|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes| +|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes| +|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes| +|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes| +|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes| +|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes| +|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes| +|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes| +|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| +|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes| +|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes| +|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes| +|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes| +|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes| +|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes| +|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| +|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes| +|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes| +|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes| +|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes| +|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes| +|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes| +|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes| +|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|Yes| +|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌| +|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md new file mode 100644 index 0000000000..7914dd8fd5 --- /dev/null +++ b/includes/licensing/access-control-aclsacl.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Access Control (ACL/SACL): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Access Control (ACL/SACL) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md new file mode 100644 index 0000000000..3ca26ae6ea --- /dev/null +++ b/includes/licensing/account-lockout-policy.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Account Lockout Policy: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Account Lockout Policy license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md new file mode 100644 index 0000000000..dadb8c49ae --- /dev/null +++ b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Active Directory domain join, Microsoft Entra join, and Microsoft Entra Hybrid join with single sign-on (SSO) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md new file mode 100644 index 0000000000..c02b90d456 --- /dev/null +++ b/includes/licensing/always-on-vpn-device-tunnel.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Always On VPN (device tunnel): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Always On VPN (device tunnel) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md new file mode 100644 index 0000000000..8777c075d8 --- /dev/null +++ b/includes/licensing/app-containers.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support App containers: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +App containers license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md new file mode 100644 index 0000000000..26e08b6b83 --- /dev/null +++ b/includes/licensing/applocker.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support AppLocker: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +AppLocker license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md new file mode 100644 index 0000000000..f14704f482 --- /dev/null +++ b/includes/licensing/assigned-access-kiosk-mode.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Assigned Access (kiosk mode): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Assigned Access (kiosk mode) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md new file mode 100644 index 0000000000..3f2b9094aa --- /dev/null +++ b/includes/licensing/attack-surface-reduction-asr.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Attack surface reduction (ASR): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Attack surface reduction (ASR) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/azure-code-signing.md b/includes/licensing/azure-code-signing.md new file mode 100644 index 0000000000..ace7222901 --- /dev/null +++ b/includes/licensing/azure-code-signing.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Azure Code Signing: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Azure Code Signing license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md new file mode 100644 index 0000000000..42fdd23a24 --- /dev/null +++ b/includes/licensing/bitlocker-enablement.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support BitLocker enablement: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +BitLocker enablement license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md new file mode 100644 index 0000000000..c9c3827684 --- /dev/null +++ b/includes/licensing/bitlocker-management.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support BitLocker management: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +BitLocker management license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md new file mode 100644 index 0000000000..62054635e0 --- /dev/null +++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Bluetooth pairing and connection protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Bluetooth pairing and connection protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md new file mode 100644 index 0000000000..1eef471e1f --- /dev/null +++ b/includes/licensing/common-criteria-certifications.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Common Criteria certifications: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Common Criteria certifications license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md new file mode 100644 index 0000000000..653c17f98a --- /dev/null +++ b/includes/licensing/controlled-folder-access.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Controlled folder access: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Controlled folder access license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/credential-guard.md b/includes/licensing/credential-guard.md new file mode 100644 index 0000000000..43c956dd67 --- /dev/null +++ b/includes/licensing/credential-guard.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Credential Guard: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Credential Guard license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md new file mode 100644 index 0000000000..8262e8af6c --- /dev/null +++ b/includes/licensing/device-health-attestation-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Device health attestation service: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Device health attestation service license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md new file mode 100644 index 0000000000..7ff5d0349a --- /dev/null +++ b/includes/licensing/direct-access.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Direct Access: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Direct Access license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/domain-name-system-dns-security.md b/includes/licensing/domain-name-system-dns-security.md new file mode 100644 index 0000000000..6c201664a7 --- /dev/null +++ b/includes/licensing/domain-name-system-dns-security.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Domain Name System (DNS) security: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Domain Name System (DNS) security license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md new file mode 100644 index 0000000000..0b6eba0e94 --- /dev/null +++ b/includes/licensing/email-encryption-smime.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Email Encryption (S/MIME): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Email Encryption (S/MIME) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md new file mode 100644 index 0000000000..250860e3d7 --- /dev/null +++ b/includes/licensing/encrypted-hard-drive.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Encrypted hard drive: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Encrypted hard drive license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md new file mode 100644 index 0000000000..f3e9d9e7eb --- /dev/null +++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Enhanced phishing protection with SmartScreen: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Enhanced phishing protection with SmartScreen license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md new file mode 100644 index 0000000000..e3cc381820 --- /dev/null +++ b/includes/licensing/exploit-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Exploit protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Exploit protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md new file mode 100644 index 0000000000..255e023c53 --- /dev/null +++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Federal Information Processing Standard (FIPS) 140 validation: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Federal Information Processing Standard (FIPS) 140 validation license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md new file mode 100644 index 0000000000..701d2a3bde --- /dev/null +++ b/includes/licensing/federated-sign-in.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Federated sign-in: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|No|Yes|Yes| + +Federated sign-in license entitlements are granted by the following licenses: + +|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|No|No| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/fido2-security-key.md b/includes/licensing/fido2-security-key.md new file mode 100644 index 0000000000..a75a664ba2 --- /dev/null +++ b/includes/licensing/fido2-security-key.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support FIDO2 security key: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +FIDO2 security key license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md new file mode 100644 index 0000000000..015c2029c7 --- /dev/null +++ b/includes/licensing/hardware-enforced-stack-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Hardware-enforced stack protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Hardware-enforced stack protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md new file mode 100644 index 0000000000..6ec3e17ec0 --- /dev/null +++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Hypervisor-protected Code Integrity (HVCI): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Hypervisor-protected Code Integrity (HVCI) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md new file mode 100644 index 0000000000..b6a67f8b82 --- /dev/null +++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Kernel Direct Memory Access (DMA) protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Kernel Direct Memory Access (DMA) protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md new file mode 100644 index 0000000000..9fb5ffeb78 --- /dev/null +++ b/includes/licensing/local-security-authority-lsa-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Local Security Authority (LSA) Protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Local Security Authority (LSA) Protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md new file mode 100644 index 0000000000..6d62dc4f3e --- /dev/null +++ b/includes/licensing/measured-boot.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Measured boot: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Measured boot license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md new file mode 100644 index 0000000000..bfa1a523e4 --- /dev/null +++ b/includes/licensing/microsoft-defender-antivirus.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Antivirus: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Defender Antivirus license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md new file mode 100644 index 0000000000..8b1f61512a --- /dev/null +++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md new file mode 100644 index 0000000000..92bde833e7 --- /dev/null +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md new file mode 100644 index 0000000000..40bd08c713 --- /dev/null +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge standalone mode: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Defender Application Guard (MDAG) for Edge standalone mode license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md new file mode 100644 index 0000000000..a808fad367 --- /dev/null +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Microsoft Office: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Microsoft Defender Application Guard (MDAG) for Microsoft Office license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|No|No|No|No| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md new file mode 100644 index 0000000000..1451e70955 --- /dev/null +++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) public APIs: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Microsoft Defender Application Guard (MDAG) public APIs license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md new file mode 100644 index 0000000000..3c405e4747 --- /dev/null +++ b/includes/licensing/microsoft-defender-for-endpoint.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender for Endpoint: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Defender for Endpoint license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|No|Yes|No|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md new file mode 100644 index 0000000000..4f8c6afb14 --- /dev/null +++ b/includes/licensing/microsoft-defender-smartscreen.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Defender SmartScreen: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Defender SmartScreen license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-pluton.md b/includes/licensing/microsoft-pluton.md new file mode 100644 index 0000000000..6d127fec25 --- /dev/null +++ b/includes/licensing/microsoft-pluton.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Pluton: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Pluton license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md new file mode 100644 index 0000000000..c772ef45b4 --- /dev/null +++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Security Development Lifecycle (SDL): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Security Development Lifecycle (SDL) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md new file mode 100644 index 0000000000..58866a171a --- /dev/null +++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft vulnerable driver blocklist: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft vulnerable driver blocklist license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md new file mode 100644 index 0000000000..fe6aa10f30 --- /dev/null +++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Windows Insider Preview bounty program: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Windows Insider Preview bounty program license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md new file mode 100644 index 0000000000..07bac3574c --- /dev/null +++ b/includes/licensing/modern-device-management-through-mdm.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Modern device management through (MDM): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Modern device management through (MDM) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md new file mode 100644 index 0000000000..d58b1b1f23 --- /dev/null +++ b/includes/licensing/onefuzz-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support OneFuzz service: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +OneFuzz service license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md new file mode 100644 index 0000000000..2954ec4c83 --- /dev/null +++ b/includes/licensing/opportunistic-wireless-encryption-owe.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Opportunistic Wireless Encryption (OWE): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Opportunistic Wireless Encryption (OWE) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/passkeys.md b/includes/licensing/passkeys.md new file mode 100644 index 0000000000..dae8584454 --- /dev/null +++ b/includes/licensing/passkeys.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support passkeys: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Passkeys license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md new file mode 100644 index 0000000000..ff1909674e --- /dev/null +++ b/includes/licensing/personal-data-encryption-pde.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Personal data encryption (PDE): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Personal data encryption (PDE) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md new file mode 100644 index 0000000000..656e7d6bde --- /dev/null +++ b/includes/licensing/privacy-resource-usage.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Privacy Resource Usage: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Privacy Resource Usage license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md new file mode 100644 index 0000000000..09a88191f1 --- /dev/null +++ b/includes/licensing/privacy-transparency-and-controls.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Privacy Transparency and Controls: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Privacy Transparency and Controls license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/remote-credential-guard.md b/includes/licensing/remote-credential-guard.md new file mode 100644 index 0000000000..a9d5e47bfa --- /dev/null +++ b/includes/licensing/remote-credential-guard.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Remote Credential Guard: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Remote Credential Guard license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md new file mode 100644 index 0000000000..416338f11f --- /dev/null +++ b/includes/licensing/remote-wipe.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Remote wipe: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Remote wipe license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md new file mode 100644 index 0000000000..1a28ce37fb --- /dev/null +++ b/includes/licensing/secure-boot-and-trusted-boot.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Secure Boot and Trusted Boot: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Secure Boot and Trusted Boot license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md new file mode 100644 index 0000000000..065fb9930f --- /dev/null +++ b/includes/licensing/secured-core-configuration-lock.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Secured-core configuration lock: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Secured-core configuration lock license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/secured-core-pc-firmware-protection.md b/includes/licensing/secured-core-pc-firmware-protection.md new file mode 100644 index 0000000000..17d33cd9dd --- /dev/null +++ b/includes/licensing/secured-core-pc-firmware-protection.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Secured-core PC firmware protection: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Secured-core PC firmware protection license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md new file mode 100644 index 0000000000..697e3c1347 --- /dev/null +++ b/includes/licensing/security-baselines.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Security baselines: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Security baselines license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md new file mode 100644 index 0000000000..e40088e7da --- /dev/null +++ b/includes/licensing/server-message-block-direct-smb-direct.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Server Message Block Direct (SMB Direct): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Server Message Block Direct (SMB Direct) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md new file mode 100644 index 0000000000..c2417234ba --- /dev/null +++ b/includes/licensing/server-message-block-smb-file-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Server Message Block (SMB) file service: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Server Message Block (SMB) file service license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md new file mode 100644 index 0000000000..8a281fcbd6 --- /dev/null +++ b/includes/licensing/smart-app-control.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Smart App Control: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Smart App Control license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md new file mode 100644 index 0000000000..f89dfe5b27 --- /dev/null +++ b/includes/licensing/smart-cards-for-windows-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Smart Cards for Windows Service: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Smart Cards for Windows Service license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md new file mode 100644 index 0000000000..72c7191537 --- /dev/null +++ b/includes/licensing/software-bill-of-materials-sbom.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Software Bill of Materials (SBOM): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Software Bill of Materials (SBOM) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md new file mode 100644 index 0000000000..5fc00e80ef --- /dev/null +++ b/includes/licensing/tamper-protection-settings-for-mde.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Tamper protection settings for MDE: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Tamper protection settings for MDE license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md new file mode 100644 index 0000000000..e3893e47b5 --- /dev/null +++ b/includes/licensing/transport-layer-security-tls.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Transport Layer Security (TLS): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Transport Layer Security (TLS) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/trusted-platform-module-tpm.md b/includes/licensing/trusted-platform-module-tpm.md new file mode 100644 index 0000000000..1c441f151a --- /dev/null +++ b/includes/licensing/trusted-platform-module-tpm.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Trusted Platform Module (TPM): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Trusted Platform Module (TPM) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md new file mode 100644 index 0000000000..100a608c5e --- /dev/null +++ b/includes/licensing/universal-print.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Universal Print: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Universal Print license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md new file mode 100644 index 0000000000..5aad4958ad --- /dev/null +++ b/includes/licensing/user-account-control-uac.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support User Account Control (UAC): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +User Account Control (UAC) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md new file mode 100644 index 0000000000..812d47fa6b --- /dev/null +++ b/includes/licensing/virtual-private-network-vpn.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Virtual private network (VPN): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Virtual private network (VPN) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md new file mode 100644 index 0000000000..912d2c961d --- /dev/null +++ b/includes/licensing/virtualization-based-security-vbs.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Virtualization-based security (VBS): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Virtualization-based security (VBS) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/web-sign-in.md b/includes/licensing/web-sign-in.md new file mode 100644 index 0000000000..73f9fd09e5 --- /dev/null +++ b/includes/licensing/web-sign-in.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Web sign-in: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Web sign-in license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md new file mode 100644 index 0000000000..9e2cf75579 --- /dev/null +++ b/includes/licensing/wifi-security.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support WiFi Security: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +WiFi Security license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md new file mode 100644 index 0000000000..65ba17659f --- /dev/null +++ b/includes/licensing/windows-application-software-development-kit-sdk.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows application software development kit (SDK): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows application software development kit (SDK) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md new file mode 100644 index 0000000000..9d5dab8d27 --- /dev/null +++ b/includes/licensing/windows-autopatch.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Autopatch: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|No|Yes|No|Yes| + +Windows Autopatch license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|No|No| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md new file mode 100644 index 0000000000..ae6d646c68 --- /dev/null +++ b/includes/licensing/windows-autopilot.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Autopilot: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Autopilot license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md new file mode 100644 index 0000000000..52264205ff --- /dev/null +++ b/includes/licensing/windows-defender-application-control-wdac.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Defender Application Control (WDAC): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md new file mode 100644 index 0000000000..cecce5edd5 --- /dev/null +++ b/includes/licensing/windows-defender-system-guard.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Defender System Guard: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Defender System Guard license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md new file mode 100644 index 0000000000..cfdbbca9d9 --- /dev/null +++ b/includes/licensing/windows-firewall.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Firewall: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Firewall license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md new file mode 100644 index 0000000000..780134b0ae --- /dev/null +++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Hello for Business Enhanced Security Sign-in (ESS): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Hello for Business Enhanced Security Sign-in (ESS) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md new file mode 100644 index 0000000000..229a6ae597 --- /dev/null +++ b/includes/licensing/windows-hello-for-business.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Hello for Business: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Hello for Business license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md new file mode 100644 index 0000000000..d0fa59421e --- /dev/null +++ b/includes/licensing/windows-laps.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows LAPS: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows LAPS license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-passwordless-experience.md b/includes/licensing/windows-passwordless-experience.md new file mode 100644 index 0000000000..e24ee8935e --- /dev/null +++ b/includes/licensing/windows-passwordless-experience.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows passwordless experience: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows passwordless experience license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md new file mode 100644 index 0000000000..aba249fcb0 --- /dev/null +++ b/includes/licensing/windows-presence-sensing.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows presence sensing: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows presence sensing license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md new file mode 100644 index 0000000000..65198775ad --- /dev/null +++ b/includes/licensing/windows-sandbox.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows Sandbox: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows Sandbox license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md new file mode 100644 index 0000000000..07f612b6ae --- /dev/null +++ b/includes/licensing/windows-security-policy-settings-and-auditing.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows security policy settings and auditing: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows security policy settings and auditing license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index e4d5e9ef2e..a5cee55a8b 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -10,26 +10,31 @@ manager: scotv ms.reviewer: ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Acquire apps in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -> [!IMPORTANT] -> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). +> [!NOTE] +> As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). -As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping. +As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping. ## App licensing model + The Microsoft Store supports two options to license apps: online and offline. **Online** licensing is the default licensing model. Online licensed apps require users and devices to connect to the Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information on the Microsoft Store licensing model, see [licensing model](./apps-in-microsoft-store-for-business.md#licensing-model). ## Payment options + Some apps are free, and some have a price. Apps can be purchased in the Microsoft Store using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards: + - VISA - MasterCard - Discover @@ -37,19 +42,23 @@ Some apps are free, and some have a price. Apps can be purchased in the Microsof - Japan Commercial Bureau (JCB) ## Organization info + There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven't provided it, we'll ask when you make a purchase. Either way works. Here's the info you'll need to provide: + - Legal business address - Payment option (credit card) ## Allow users to shop **Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off: + - The shopping experience is not available - **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education - Admins can't assign shopping roles to users - Products and services previously purchased by **Basic Purchasers** can be managed by admins. **To manage Allow users to shop setting** + 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. @@ -61,12 +70,15 @@ There are a couple of things we need to know when you pay for apps. You can add People in your org can request license for apps that they need, or that others need. When **Allow app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. **To manage Allow app requests** + 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, under **Shopping behavior** turn on or turn off **Allow app requests**. ## Acquire apps + **To acquire an app** + 1. Sign in to https://businessstore.microsoft.com 2. Select **Shop for my group**, or use Search to find an app. 3. Select the app you want to purchase. @@ -78,6 +90,7 @@ People in your org can request license for apps that they need, or that others n You'll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: + - Distribute the app: add to private store, or assign licenses - View app licenses: review current licenses, reclaim and reassign licenses - View app details: review the app details page and purchase more licenses diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index d2cf5a3906..73cb1cafc3 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -4,22 +4,25 @@ description: Add an Autopilot profile to devices. Autopilot profiles control wha ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa -ms.date: 07/21/2021 +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv +ms.date: 05/24/2023 ms.reviewer: -manager: dansimp ms.topic: conceptual ms.localizationpriority: medium --- # Manage Windows device deployment with Windows Autopilot Deployment -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 926aa750f9..1ac1b42374 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -3,24 +3,26 @@ title: App inventory management for Microsoft Store for Business and Microsoft S description: You can manage all apps that you've acquired on your Apps & Software page. ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # App inventory management for Microsoft Store for Business and Education -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index 661d98861a..92bced3780 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -3,26 +3,27 @@ title: Apps in Microsoft Store for Business and Education (Windows 10) description: Microsoft Store for Business has thousands of apps from many different categories. ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Apps in Microsoft Store for Business and Education +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Microsoft Store for Business and Education has thousands of apps from many different categories. diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index c296c8f37d..db0e139ab0 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -3,26 +3,27 @@ title: Assign apps to employees (Windows 10) description: Administrators can assign online-licensed apps to employees and students in their organization. ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/27/2023 --- # Assign apps to employees +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md index 5205cbadba..08d60c558e 100644 --- a/store-for-business/billing-payments-overview.md +++ b/store-for-business/billing-payments-overview.md @@ -5,19 +5,20 @@ keywords: billing, payment methods, invoices, credit card, debit card ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 -ms.reviewer: -manager: dansimp +ms.date: 05/24/2023 --- # Billing and payments > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Access invoices and managed your payment methods. diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md index 82581997ea..43924342b2 100644 --- a/store-for-business/billing-profile.md +++ b/store-for-business/billing-profile.md @@ -5,23 +5,26 @@ keywords: billing profile, invoices, charges, managed charges ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/23/2023 ms.reviewer: -manager: dansimp --- # Understand billing profiles > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. +For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. Billing profiles include: + - **Payment methods** – Credit cards or check/wire transfer - **Contact info** - Billing address and a contact name - **Permissions** – Permissions that allow you to change the billing profile, pay bills, or use the payment method on the billing profile to make purchases diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index e500732cc9..7a196272c8 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -4,24 +4,27 @@ description: Learn how to read and understand your MCA bill ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 ms.reviewer: -manager: dansimp --- # Understand your Microsoft Customer Agreement invoice > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). The invoice provides a summary of your charges and provides instructions for payment. It's available for download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). ## General invoice information + Invoices are your bill from Microsoft. A few things to note: - **Invoice schedule** - You're invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**. @@ -75,7 +78,7 @@ The **Billing Summary** shows the charges against the billing profile since the | Credits |Credits you received from returns | | Azure credits applied |Your Azure credits that are automatically applied to Azure charges each billing period | | Subtotal |The pre-tax amount due | -| Tax |The type and amount of tax that you pay, depending on the country of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. | +| Tax |The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. | | Estimated total savings |The estimated total amount you saved from effective discounts. If applicable, effective discount rates are listed beneath the purchase line items in Details by Invoice Section. | ### Understand your charges @@ -98,7 +101,7 @@ The total amount due for each service family is calculated by subtracting Azure | Qty | Quantity purchased or consumed during the billing period | | Charges/Credits | Net amount of charges after credits/refunds are applied | | Azure Credit | The amount of Azure credits applied to the Charges/Credits| -| Tax rate | Tax rate(s) depending on country | +| Tax rate | Tax rate(s) depending on country/region | | Tax amount | Amount of tax applied to purchase based on tax rate | | Total | The total amount due for the purchase | diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 190b9be3e6..8f2ddc7b24 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -3,25 +3,27 @@ title: Configure an MDM provider (Windows 10) description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Configure an MDM provider -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index b443e48e71..e391ccb12a 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -3,25 +3,27 @@ title: Distribute apps using your private store (Windows 10) description: The private store is a feature in Microsoft Store for Business and Microsoft Store for Education that organizations receive during the signup process. ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Distribute apps using your private store -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 7f88c7212e..ed5f058ffe 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -3,26 +3,27 @@ title: Distribute apps to your employees from the Microsoft Store for Business a description: Distribute apps to your employees from Microsoft Store for Business or Microsoft Store for Education. You can assign apps to employees,or let employees install them from your private store. ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Distribute apps to your employees from Microsoft Store for Business and Education +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store. @@ -34,4 +35,3 @@ Distribute apps to your employees from Microsoft Store for Business and Microsof | [Assign apps to employees](assign-apps-to-employees.md) | Admins can assign online-licensed apps to people in their organization. | | [Distribute apps with a management tool](distribute-apps-with-management-tool.md) | Admins can configure a mobile device management (MDM) tool to synchronize your Microsoft Store inventory. Microsoft Store management tool services work with MDM tools to manage content. | | [Distribute offline apps](distribute-offline-apps.md) | Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. This allows organizations to deploy apps to devices without connectivity to the Store. | - diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 90e4939804..77faaf7d85 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -3,26 +3,27 @@ title: Distribute apps with a management tool (Windows 10) description: You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Distribute apps with a management tool +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 765f0b39ce..d4049b9caa 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -3,27 +3,28 @@ title: Distribute offline apps (Windows 10) description: Offline licensing is a new licensing option for Windows 10. ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Distribute offline apps - **Applies to:** - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). -> +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). + Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. ## Why offline-licensed apps? @@ -45,8 +46,9 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y - **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages). - **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - - [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
+ + - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) + - [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index c0b85a8a1d..f0006e84b3 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -37,6 +37,7 @@ "tier2" ], "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.author": "trudyha", "audience": "ITPro", "ms.service": "store-for-business", @@ -65,7 +66,8 @@ "dstrome", "v-dihans", "garycentric", - "v-stsavell" + "v-stsavell", + "beccarobins" ] }, "fileMetadata": {}, diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index ad4b5f621a..0226497186 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -3,26 +3,27 @@ title: Find and acquire apps (Windows 10) description: Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Find and acquire apps +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 99a065dd84..000c3669c0 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -1,14 +1,21 @@ ---- -ms.date: 10/31/2020 ---- -## Week of April 25, 2022 +## Week of July 10, 2023 | Published On |Topic title | Change | |------|------------|--------| -| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified | -| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified | +| 7/14/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified | +| 7/14/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified | +| 7/14/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified | + + +## Week of June 26, 2023 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 6/29/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified | +| 6/29/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified | diff --git a/store-for-business/index.md b/store-for-business/index.md index 369336371c..2d6b07538f 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -10,24 +10,27 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: high -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Microsoft Store for Business and Education -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school. -> [!IMPORTANT] -> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won't be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of "free" will still be available. This change doesn't impact apps in the Microsoft Store on Windows 10. +> [!NOTE] > -> Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education. +> - As of April 14, 2021, all apps that charge a base price above free are no longer available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases are possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you can't buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use from the private store. Apps with a base price of "free" are still available. This change doesn't impact apps in the Microsoft Store on Windows 10. +> +> - Also as of April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education. ## In this section diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 2b8c3e26f4..7ebf151814 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -3,71 +3,44 @@ title: Manage access to private store (Windows 10) description: You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. ms.assetid: 4E00109C-2782-474D-98C0-02A05BE613A5 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Manage access to private store +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). + +## Microsoft Store for Business tab removed + +In April 2023, the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. The Microsoft Store for Business tab will continue to be available on Hololens devices. Users will no longer be able to see products added to the private store within the Microsoft Store app and will need to go to the [Microsoft Store for Business](https://businessstore.microsoft.com/) website to access the private store. + +The [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) MDM policy and **Only display the private store within the Microsoft Store app** Group policy will block access to the Microsoft Store app entirely. With those policies in place, users may see one of the following errors in the Microsoft Store app. + +1. Microsoft Store is blocked + Check with your IT or system administrator + Report this problem + Code 0x700704E +2. Try that again + Page could not be loaded. Please try that again + Refresh the page + Code 0x80131500 +3. This place is off-limits + Not sure how you got here, but there's nothing for you here. + Report this problem + Refresh this Page. + +## Manage private store access You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Microsoft Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available. -The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this: - - - -Organizations can use either an MDM policy, or Group Policy to show only their private store in Microsoft Store. - -## Show private store only using MDM policy - -Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) policy. - -**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions: - -- Enterprise -- Education - -For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md). - -## Show private store only using Group Policy - -If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. - -**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions: - -- Enterprise -- Education - -**To show private store only in Microsoft Store app** - -1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. - -2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. - -3. Right-click **Only display the private store within Microsoft Store app** in the right pane, and click **Edit**. - - This opens the **Only display the private store within the Microsoft Store app** policy settings. - -4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**. - -You can also prevent employees from using Microsoft Store. For more information, see [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store). +The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab on the [Microsoft Store for Business site](https://businessstore.microsoft.com/store/private-store), and is usually named for your company or organization. Only apps with online licenses can be added to the private store. ## Related topics -[Distribute apps using your private store](distribute-apps-from-your-private-store.md) -[Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) \ No newline at end of file +[Distribute apps using your private store](distribute-apps-from-your-private-store.md)\ +[Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index 706e1bc726..ead437bd5b 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -3,27 +3,29 @@ title: Manage products and services in Microsoft Store for Business (Windows 10) description: Manage apps, software, devices, products and services in Microsoft Store for Business. ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Manage apps in Microsoft Store for Business and Education -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. +Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. ## In this section diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index dfc9b3d00d..22ae3cf389 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -4,23 +4,26 @@ description: You can view your order history with Microsoft Store for Business o ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 ms.reviewer: -manager: dansimp --- # Manage app orders in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. **Order history** lists orders in chronological order and shows: + - Date ordered - Product name - Product publisher @@ -28,6 +31,7 @@ After you've acquired apps, you can review order information and invoices on **O - Order status. Click to expand an order, and the following info is available: + - Who purchased the app - Order number - Quantity purchased @@ -49,6 +53,7 @@ For free apps, there isn't really a refund to request -- you're removing the app **Refunds for apps that have a price** There are a few requirements for apps that have a price: + - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 218f2b5aac..fe4d105828 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -3,25 +3,27 @@ title: Manage private store settings (Windows 10) description: The private store is a feature in the Microsoft Store for Business and Microsoft Store for Education that organizations receive during the sign up process. ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual -ms.date: 07/21/2021 +ms.date: 05/24/2023 ms.localizationpriority: medium --- # Manage private store settings -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index e3d9147262..ad7a735cf4 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -3,25 +3,27 @@ title: Manage settings for Microsoft Store for Business and Microsoft Store for description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Manage settings for Microsoft Store for Business and Education -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index 36ec4938f9..ab89a344ff 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -3,26 +3,27 @@ title: Manage user accounts in Microsoft Store for Business and Microsoft Store description: Microsoft Store for Business and Microsoft Store for Education manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups. ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Manage user accounts in Microsoft Store for Business and Education +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups. diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 3318a1ca0c..af54ebd7c7 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -4,22 +4,26 @@ description: Preview version of PowerShell module ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.custom: has-azure-ad-ps-ref +ms.date: 05/24/2023 ms.reviewer: -manager: dansimp --- # Microsoft Store for Business and Education PowerShell module - preview -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459). diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index a7009160fa..51d26aea04 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -11,20 +11,22 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Microsoft Store for Business and Microsoft Store for Education overview -**Applies to** +**Applies to:** - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -> [!IMPORTANT] -> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). +> [!NOTE] +> As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. There will be no support for Microsoft Store for Business and Education on Windows 11. diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 264f2228e9..08a23b9119 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -4,26 +4,27 @@ description: Notifications alert you to issues or outages with Microsoft Store f keywords: notifications, alerts ms.assetid: ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Notifications in Microsoft Store for Business and Education +**Applies to:** -**Applies to** - -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md index b56a2ebe5e..0e5b708958 100644 --- a/store-for-business/payment-methods.md +++ b/store-for-business/payment-methods.md @@ -5,19 +5,21 @@ keywords: payment method, credit card, debit card, add credit card, update payme ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 ms.reviewer: -manager: dansimp --- # Payment methods > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: - VISA @@ -27,9 +29,10 @@ You can purchase products and services from Microsoft Store for Business using y - Japan Commercial Bureau (JCB) > [!NOTE] -> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region. +> Not all cards available in all countries/regions. When you add a payment option, Microsoft Store for Business shows which cards are available in your region. ## Add a payment method + **To add a new payment option** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 0dd6457beb..3543e2ade4 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -11,20 +11,22 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Prerequisites for Microsoft Store for Business and Education -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -> [!IMPORTANT] -> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). +> [!NOTE] +> As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). > [!IMPORTANT] > Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index e1fd90b393..15adb1f6c8 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -4,22 +4,51 @@ description: Know the release history of Microsoft Store for Business and Micros ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual -ms.date: 07/21/2021 +ms.date: 06/29/2023 ms.reviewer: -manager: dansimp --- # Microsoft Store for Business and Education release history > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). -Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. +Because Microsoft Store for Business and Education will be retired, we no longer release new and improved features. Here's a summary of new or updated features in previous releases. -Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) + +## May 2023 + +### Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs + +The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices. + +Users on Windows 10 PCs can no longer do the following tasks: + +- see Line of Business (LOB) products listed in the Microsoft Store for Business tab +- acquire or install [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) +- assign licenses for existing [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) using the Store for Business portal or Store for Business app + +[Offline app](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) distribution and licensing scenarios aren't impacted by this change. + +We recommend that you add your apps through the new Microsoft Store app experience in Intune. If an app isn’t available in the Microsoft Store, you must retrieve an app package from the vendor and install it as an LOB app or Win32 app. For instructions, read the following articles: + +- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft) +- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) +- [Add, assign, and monitor a Win32 app in Microsoft Intune](/mem/intune/apps/apps-win32-add) + +Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change. + +## April 2023 +- **Tab removed from Microsoft Store apps on Windows 11 PCs** – The Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. [Get more info](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed) + +## October 2018 +- **Use security groups with Private store apps** - On the details page for apps in your private store, you can set Private store availability. This allows you to choose which security groups can see an app in the private store. [Get more info](app-inventory-management-microsoft-store-for-business.md) ## September 2018 - **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](/microsoft-store/manage-private-store-settings#private-store-performance) diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 1ca0ec4692..9ac3ce2446 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -12,20 +12,22 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Roles and permissions in Microsoft Store for Business and Education -**Applies to** +**Applies to:** - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -> [!IMPORTANT] -> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). +> [!NOTE] +> As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index f29dace9ef..a5b192031e 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -3,22 +3,23 @@ title: Settings reference Microsoft Store for Business and Education (Windows 10 description: The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Settings reference: Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. @@ -34,4 +35,4 @@ The Microsoft Store for Business and Education has a group of settings that admi | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** | | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | | Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** | -| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | \ No newline at end of file +| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index 4c4e855373..d1139f7ada 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -11,22 +11,24 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Sign up and get started -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. -> [!IMPORTANT] -> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). +> [!NOTE] +> As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). ## In this section diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index f9154689ca..80b2786116 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -3,29 +3,32 @@ title: Troubleshoot Microsoft Store for Business (Windows 10) description: Troubleshooting topics for Microsoft Store for Business. ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 +ms.date: 05/24/2023 --- # Troubleshoot Microsoft Store for Business -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). Troubleshooting topics for Microsoft Store for Business. ## Can't find apps in private store + The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check: - **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 78cd7532b8..ea6dd9e359 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -5,30 +5,31 @@ keywords: billing accounts, organization info ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 07/21/2021 -ms.reviewer: -manager: dansimp +ms.date: 05/24/2023 --- # Update Billing account settings > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed). -A billing account contains defining information about your organization. +A billing account contains defining information about your organization. ->[!NOTE] ->Billing accounts are available in Microsoft Store for Business, and M365 admin center preview. For more information, see [aka.ms/aboutM365preview](/microsoft-365/admin/microsoft-365-admin-center-preview). +> [!NOTE] +> Billing accounts are available in Microsoft Store for Business, and the Microsoft 365 admin center. For more information, see [Understand your Microsoft billing account](/microsoft-365/commerce/manage-billing-accounts). The **Billing account** page allows you to manage organization information, purchasing agreements that you have with Microsoft, and admin approvals. The organization information and payment options are required before you can shop for products that have a price. ## Organization information -We need your business address, email contact, and tax-exemption certificates that apply to your country or locale. +We need your business address, email contact, and tax-exemption certificates that apply to your country/region or locale. ### Business address and email contact @@ -45,7 +46,7 @@ We need an email address in case we need to contact you about your Microsoft Sto 4. Make your updates, and then select **Save**. ### Organization tax information -Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: +Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries/regions can provide their VAT number or local equivalent: - Austria - Belgium - Bulgaria @@ -101,7 +102,7 @@ If you qualify for tax-exempt status in your market, start a service request to You'll need this documentation: -|Country or locale | Documentation | +|Country/Region or locale | Documentation | |------------------|----------------| | United States | Sales Tax Exemption Certificate | | Canada | Certificate of Exemption (or equivalent letter of authorization) | diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index bc329afe4d..8ab993b759 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -1,37 +1,46 @@ --- title: Whats new in Microsoft Store for Business and Education -description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education. +description: Learn about the newest features in Microsoft Store for Business and Microsoft Store for Education. ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual -ms.date: 07/21/2021 +ms.date: 06/29/2023 ms.reviewer: -manager: dansimp --- # What's new in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - -Microsoft Store for Business and Education regularly releases new and improved features. +> +> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). ## Latest updates for Store for Business and Education -**October 2018** +**May 2023** -:::row::: - :::column span="1"::: -  - :::column-end::: - :::column span="1"::: - **Use security groups with Private store apps**
On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.
[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education - :::column-end::: -:::row-end::: +**Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs** +The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices. + +Users on Windows 10 PCs can no longer do the following tasks: + +- see Line of Business (LOB) products listed in the Microsoft Store for Business tab +- acquire or install [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) +- assign licenses for existing [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) using the Store for Business portal or Store for Business app + +[Offline app](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) distribution and licensing scenarios aren't impacted by this change. + +We recommend that you add your apps through the new Microsoft Store app experience in Intune. If an app isn’t available in the Microsoft Store, you must retrieve an app package from the vendor and install it as an LOB app or Win32 app. For instructions, read the following articles: + +- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft) +- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) +- [Add, assign, and monitor a Win32 app in Microsoft Intune](/mem/intune/apps/apps-win32-add) + +Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change. -
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). Help us to improve diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 5464c1fdcc..0108207c9e 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.topic: article ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 49b68f3ed9..ce0c73c061 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 03/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 23e9dce8a5..5c13af93a6 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.topic: article ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 7e0b19b428..a19c89cc1c 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.topic: article ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 65cccc4561..1b289057fe 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index e9168ea779..059ef24c65 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.topic: article ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 80859782c4..5feee6e5a9 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index b0a1c0a587..6ad489e6d0 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 9bba519134..8e916937ed 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index 192f9f4b66..d9769d9ac3 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index c327a058bb..3cdd99110d 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 858f0dcbad..92b64eb2ec 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index f5fad71c85..ed8de7183d 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -5,8 +5,9 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz +ms.collection: must-keep ms.technology: itpro-apps --- diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md deleted file mode 100644 index 523ee3c2d8..0000000000 --- a/windows/application-management/apps-in-windows-10.md +++ /dev/null @@ -1,162 +0,0 @@ ---- -title: Learn about the different app types in Windows 10/11 | Microsoft Docs -description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. -author: nicholasswhite -ms.author: nwhite -manager: aaroncz -ms.date: 02/09/2023 -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-apps -ms.localizationpriority: medium -ms.collection: tier2 -ms.reviewer: ---- - -# Overview of apps on Windows client devices - -**Applies to**: - -- Windows 10 -- Windows 11 - -## Before you begin - -As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. - -In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - -- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) -- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) -- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) - -## App types - -There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices. - -- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones. - - For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). - -- **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview). - -- **.NET apps**: These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include: - - - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development). - - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). - -- **Windows apps**: - - > [!TIP] - > Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/). - - - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: - - - **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md). - - **Installed**: Installed as part of the OS. - - - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps. - - For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide). - - - **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET. - - For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows). - - - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md). - -- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform. - - Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview). - - Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices. - -## Android™️ apps - -Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store. - -For more information, see: - -- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48) -- [Windows Subsystem for Android developer information](/windows/android/wsa) - -## Add or deploy apps to devices - -When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. - -> [!NOTE] -> Microsoft Store for Business and Microsoft Store for Education will be retired on March 31, 2023. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11. ->Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps. - -- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. - - If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). - - For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). - -- **Mobile device management (MDM)**: Use an MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more. - - For more information, see: - - - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) - - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) - -- **Microsoft Store**: When you use the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store. - - To help manage the Microsoft Store on your devices, you can use policies: - - - On premises, you can use Administrative Templates in Group Policy to control access to the Microsoft Store app: - - `User Configuration\Administrative Templates\Windows Components\Store` - - `Computer Configuration\Administrative Templates\Windows Components\Store` - - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app. - - For more information, see: - - - [Microsoft Store for Business and Education](/microsoft-store/) - - [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423) - -- **MSIX for desktop apps**: MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX. - - To deploy MSIX packages and their apps, you can: - - - Use an MDM provider, like Microsoft Intune and Configuration Manager. - - Use an App Installer. User users double-click an installer file, or select a link on a web page. - - And more. - - For more information, see: - - - [What is MSIX?](/windows/msix/overview) - - [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise) - -- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers. - - If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization. - - For more information, see [Windows Package Manager](/windows/package-manager). - -- **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups. - - The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally. - - If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization. - - For more information, see: - - - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) - - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) - -- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps. - - > [!NOTE] - > [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)] - - On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally. - - The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md). - - To help manage App-V on your devices, you can use policies: - - - On premises, you can use Administrative Templates in Group Policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`). - - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies. - - diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 76647fae53..b8d3bddc46 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -39,7 +39,7 @@ "ms.collection": [ "tier2" ], - "uhfHeaderId": "MSDocsHeader-M365-IT", + "uhfHeaderId": "MSDocsHeader-Windows", "ms.technology": "itpro-apps", "ms.topic": "article", "feedback_system": "GitHub", @@ -59,7 +59,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 19c8ec6649..1ed95c362a 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,8 +1,8 @@ --- title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz ms.date: 10/03/2017 ms.topic: article diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 14de444ad4..f9844e71b1 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,6 +1,6 @@ --- -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz ms.date: 09/20/2021 ms.topic: include diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 13ec789f1d..35084641c6 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,8 +1,9 @@ --- -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz ms.date: 09/28/2021 +manager: aaroncz ms.topic: include ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index da969d420b..b08cd77d57 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,39 +1,46 @@ ### YamlMime:Landing title: Windows application management -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. +summary: Learn about managing applications in Windows client, including common app types. metadata: title: Windows application management - description: Learn about managing applications in Windows 10 and Windows 11. - author: nicholasswhite - ms.author: nwhite + description: Learn about managing applications in Windows client. + author: aczechowski + ms.author: aaroncz manager: aaroncz - ms.date: 08/24/2021 + ms.date: 08/18/2023 ms.topic: landing-page ms.prod: windows-client ms.collection: - tier1 - highpri +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new + landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Manage Windows applications + - title: Manage applications linkLists: - - linkListType: overview + - linkListType: how-to-guide links: - - text: Understand apps in Windows client OS - url: apps-in-windows-10.md - - text: How to add features + - text: Overview of apps in Windows + url: overview-windows-apps.md + - text: Add or hide Windows features url: add-apps-and-features.md - text: Sideload LOB apps url: sideload-apps-in-windows-10.md - text: Keep removed apps from returning during an update url: remove-provisioned-apps-during-update.md - # Card (optional) + - title: Manage services + linkLists: + - linkListType: reference + links: + - text: Per-user services in Windows + url: per-user-services-in-windows.md + - text: Changes to Service Host grouping in Windows 10 + url: svchost-service-refactoring.md + - title: Application Virtualization (App-V) linkLists: - linkListType: overview @@ -52,15 +59,3 @@ landingContent: url: app-v/appv-troubleshooting.md - text: Technical Reference for App-V url: app-v/appv-technical-reference.md - - # Card (optional) - - title: Windows System Services - linkLists: - - linkListType: overview - links: - - text: Changes to Service Host grouping in Windows 10 - url: svchost-service-refactoring.md - - text: Per-user services in Windows - url: per-user-services-in-windows.md - - text: Per-user services in Windows - url: per-user-services-in-windows.md \ No newline at end of file diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md new file mode 100644 index 0000000000..135c557b56 --- /dev/null +++ b/windows/application-management/overview-windows-apps.md @@ -0,0 +1,200 @@ +--- +title: Overview of apps on Windows client devices +description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps. +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/28/2023 +ms.topic: overview +ms.prod: windows-client +ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 +--- + +# Overview of apps on Windows client devices + +There are different types of apps that can run on your Windows client devices. This article provides an overview of some of the common apps used on Windows devices. It also explains the basics of how to install these apps. + +## Windows app types + +### Microsoft 365 apps + +These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones. + +For more information on the Microsoft 365 license options, and what you get, see [Find the right Microsoft 365 enterprise plan for your organization](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing). + +For more information on deploying Microsoft 365 apps, see the [Deployment guide for Microsoft 365 Apps](/DeployOffice/deployment-guide-microsoft-365-apps). + +### Power Apps + +These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. + +For more information, see [What is Power Apps?](/power-apps/powerapps-overview). + +### .NET apps + +These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include: + +- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF application development](/dotnet/desktop/wpf/app-development). + +- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). + +### Windows apps + +> [!TIP] +> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/). + +- **Apps**: All apps installed in the protected directory `C:\Program Files\WindowsApps`. There are two classes of these apps: + + - **Installed**: Installed as part of the OS. + + - **Provisioned**: Installed the first time you sign in with a new user account. + + > [!TIP] + > To get a list of all provisioned apps, use Windows PowerShell: + > + > ```powershell + > Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName + > ``` + > + > The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage). + +- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps. + + For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide). + +- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET. + + For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Top 11 things you can do to make your app great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows). + +- **System apps**: Apps installed in the system root directory `C:\Windows\`. These apps are part of the Windows OS. + + > [!TIP] + > To get a list of all the system apps, use Windows PowerShell: + > + > ```powershell + > `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation + > ``` + > + > The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage). + +### Web apps + +Web apps and progressive web apps (PWA) run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have network access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform. + +Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a web app](/visualstudio/get-started/csharp/tutorial-aspnet-core). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview). + +When you use an MDM provider like Microsoft Intune, you can create shortcuts to your web apps and progressive web apps on devices. For more information, see [Add web apps to Microsoft Intune](/mem/intune/apps/web-app). + +## Android™️ apps + +Starting with Windows 11, you can install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps. + +For more information, see the following articles: + +- [Apps from the Amazon Appstore](https://support.microsoft.com/windows/apps-from-the-amazon-appstore-abed2335-81bf-490a-92e5-fe01b66e5c48) + +- [Windows Subsystem for Android developer information](/windows/android/wsa) + +## Add or deploy apps to devices + +When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. + +### Manually install + +On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. + +If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + +For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). + +### Management service + +Use an MDM provider like Microsoft Intune, or an on-premises solution like Configuration Manager. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, or add Store apps. + +For more information, see: + +- [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) +- [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) + +### Microsoft Store + +When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store. + +> [!NOTE] +> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11. +> +> For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft). + +To help manage the Microsoft Store on your devices, you can use policies: + +- On premises, you can use administrative templates in group policy to control access to the Microsoft Store app: + - `User Configuration\Administrative Templates\Windows Components\Store` + - `Computer Configuration\Administrative Templates\Windows Components\Store` + +- Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app. + +### MSIX for desktop apps + +MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX. + +To deploy MSIX packages and their apps, you can: + +- Use a management service, like Microsoft Intune and Configuration Manager. +- Use an App Installer. User users double-click an installer file, or select a link on a web page. + +For more information, see the following articles: + +- [What is MSIX?](/windows/msix/overview) +- [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise) + +### Windows Package Manager + +Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from services like the Microsoft Store or GitHub, and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers. + +If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option. + +For more information, see [Windows Package Manager](/windows/package-manager). + +### Azure Virtual desktop with MSIX app attach + +With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups. + +The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally. + +If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization. + +For more information, see the following articles: + +- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) +- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) + +### Application Virtualization (App-V) + +App-V allows Win32 apps to be used as virtual apps. + +> [!NOTE] +> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)] + +On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally. + +The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md). + +## Manage apps + +To help manage your devices, and help manage apps on your devices, use a management service like Microsoft Intune and Configuration Manager. For more information, see the following articles: + +- [Overview of endpoint management](/mem/endpoint-manager-overview) +- [Manage your apps and app data in Microsoft Intune](/mem/intune/fundamentals/manage-apps) +- [Introduction to application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management) + +## Application compatibility + +Microsoft is committed to making sure your business-critical apps work on the latest versions of Windows. For more information, see the following articles: + +- [Compatibility for Windows 11](/windows/compatibility/windows-11/) +- [FastTrack App Assure program](/windows/compatibility/app-assure) diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index d094fba726..200ea7e859 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,24 +1,21 @@ --- -title: Per-user services in Windows 10 and Windows Server +title: Per-user services description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz ms.date: 09/14/2017 -ms.topic: article +ms.topic: how-to ms.prod: windows-client ms.technology: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +appliesto: + - ✅ Windows 10 + - ✅ Windows Server --- -# Per-user services in Windows 10 and Windows Server - -**Applies to**: - -- Windows 10 -- Windows Server +# Per-user services in Windows Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. @@ -80,9 +77,9 @@ In light of these restrictions, you can use the following methods to manage per- You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings). -For example: +For example: -``` +```ini [Unicode] Unicode=yes [Version] @@ -128,7 +125,7 @@ If you can't use Group Policy Preferences to manage the per-user services, you c To disable the Template Services, change the Startup Type for each service to 4 (disabled). For example: -```code +```cmd REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f @@ -163,9 +160,10 @@ You can create a script to change the Startup Type for the per-user services. Th Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc990290(v=ws.11)?f=255&MSPPError=-2147217396): -``` +```cmd sc.exe configure
Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
- -MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.
- -### EnterpriseAppVManagement CSP node structure - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -The following example shows the EnterpriseAppVManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppVManagement -----AppVPackageManagement ---------EnterpriseID -------------PackageFamilyName ----------------PackageFullName -------------------Name -------------------Version -------------------Publisher -------------------InstallLocation -------------------InstallDate -------------------Users -------------------AppVPackageID -------------------AppVVersionId -------------------AppVPackageUri -----AppVPublishing ---------LastSync -------------LastError -------------LastErrorDescription -------------SyncStatusDescription -------------SyncProgress ---------Sync -------------PublishXML -----AppVDynamicPolicy ---------ConfigurationId -------------Policy -``` - -(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.
- -AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.
- -- EnterpriseAppVManagement - - AppVPackageManagement - - **AppVPublishing** - - LastSync - - LastError - - LastErrorDescription - - SyncStatusDescription - - SyncProgress - - Sync - - PublishXML - - AppVDynamicPolicy - -Sync command:
- -[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx) - -AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.
- -- EnterpriseAppVManagement - - AppVPackageManagement - - AppVPublishing - - **AppVDynamicPolicy** - - [ConfigurationId] - - Policy - -Dynamic policy examples:
- -[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing) - -AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.
- -- EnterpriseAppVManagement - - **AppVPackageManagement** - - [EnterpriseID] - - [PackageFamilyName] - - [PackageFullName] - - Name - - Version - - Publisher - - InstallLocation - - InstallDate - - Users - - AppVPackageID - - AppVVersionId - - AppVPackageUri - - AppVPublishing - - AppVDynamicPolicy - -The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.
- -## Scenarios addressed in App-V MDM functionality - -All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.
- -A complete list of App-V policies can be found here:
- -[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md) - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -### SyncML examples - -The following SyncML examples address specific App-V client scenarios.
- -#### Enable App-V client - -This example shows how to enable App-V on the device.
- -```xml -This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).
- -```xml -Complete list of App-V policies can be found here:
- -[Policy CSP](mdm/policy-configuration-service-provider.md) - -#### SyncML with package published for a device (global to all users for that device) - -This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.
- -```xml -*PackageUrl can be a UNC or HTTP/HTTPS endpoint.
- -#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) - -This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.
- -```xml -*PackageUrl can be a UNC or HTTP/HTTPS endpoint.
- -#### SyncML with package (using user config deployment) published for a specific user - -This SyncML example shows how to publish a package for a specific MDM user.
- -```xml -This SyncML example shows how to publish a connection group, and group applications and plugins together.
- -> [!NOTE] -> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. - -```xml -This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.
- -```xml -These SyncML examples return all global, and user-published packages on the device.
- -```xml -- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| +|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| ## Management protocol with Azure AD There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD-joined devices** -In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. +- **Multiple user management for Azure AD-joined devices** -**Adding a work account and MDM enrollment to a device** -In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device. -**Evaluating Azure AD user tokens** -The Azure AD token is in the HTTP Authorization header in the following format: +- **Adding a work account and MDM enrollment to a device**: -```console -Authorization:Bearer
_Device Installation policies flow chart_ @@ -218,23 +188,20 @@ Some of these policies take precedence over other policies. The flowchart shown To complete each of the scenarios, ensure you have: - A client computer running Windows. - -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. - - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. -### Understanding implications of applying ‘Prevent’ policies retroactive +### Understanding implications of applying 'Prevent' policies retroactive -All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. -For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. +For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones. This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] -> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. +> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings @@ -249,19 +216,19 @@ To find device identification strings using Device Manager 1. Make sure your printer is plugged in and installed. -2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. +1. To open Device Manager, select the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. -3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. +1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. -4. Find the “Printers” section and find the target printer +1. Find the "Printers" section and find the target printer 
_Selecting the printer in Device Manager_ -5. Double-click the printer and move to the ‘Details’ tab. +1. Double-click the printer and move to the 'Details' tab. - 
_Open the ‘Details’ tab to look for the device identifiers_ + 
_Open the 'Details' tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies.  @@ -311,24 +278,24 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters -4. Have a USB/network printer available to test the policy with +1. Have a USB/network printer available to test the policy with -### Scenario steps – preventing installation of prohibited devices +### Scenario steps - preventing installation of prohibited devices Getting the right device identifier to prevent it from being installed: 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID). -2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links: +1. If you don't have such device installed on your system or know the name of the class, you can check the following two links: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -340,40 +307,40 @@ Getting the right device identifier to prevent it from being installed: Creating the policy to prevent all printers from being installed: -1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled). +1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled). -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option takes you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. - 
_List of prevent Class GUIDs_ + 
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Optional-if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' > [!IMPORTANT] -> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. +> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. -### Testing the scenario +### Testing scenario 1 -1. If you haven't completed step #9 – follow these steps: +1. If you haven't completed step #9, follow these steps: - 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". + 1. For USB printer-unplug and plug back the cable; for network device-make a search for the printer in the Windows Settings app. 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. +1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -385,52 +352,51 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously +1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously. 
_Printer Hardware ID_ -2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers +1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers Creating the policy to prevent a single printer from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block. -5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 +1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`. 
_Prevent Device ID list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install. -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. +1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'. -### Testing the scenario +### Testing scenario 2 If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. If you haven't completed step #8, follow these steps: -1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. +1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". -2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - -3. You shouldn't be able to reinstall the printer. +1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app. +1. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed @@ -442,67 +408,66 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB/network printer available to test the policy with. +1. Have a USB/network printer available to test the policy with. -### Scenario steps – preventing installation of an entire class while allowing a specific printer +### Scenario steps - preventing installation of an entire class while allowing a specific printer -Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the Printer Class and a specific printer-following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318} - 
_List of prevent Class GUIDs_ + 
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ +1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK' -10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it-this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. -  + :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png"::: - 
_Apply layered order of evaluation policy_ + [](images/device-installation-apply-layered-policy-2.png#lightbox)
_Apply layered order of evaluation policy_ -9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. +1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. 
_Allow Printer Hardware ID_ -12. Click ‘OK’. +1. Click 'OK'. -13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and allows the target printer to be installed (or stayed installed). -## Testing the scenario +## Testing scenario 3 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. - +1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer-you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device @@ -514,67 +479,65 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed and its location in the PnP tree: 1. Connect a USB thumb drive to the machine -2. Open Device Manager +1. Open Device Manager + +1. Find the USB thumb-drive and select it. -3. Find the USB thumb-drive and select it. - 
_Selecting the usb thumb-drive in Device Manager_ -4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. +1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree. 
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] - > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - + > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked. + 
_When blocking one device, all the devices that are nested below it will be blocked as well_ -5. Double-click the USB thumb-drive and move to the ‘Details’ tab. +1. Double-click the USB thumb-drive and move to the 'Details' tab. + +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - 
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block. + +1. Enter the USB thumb-drive device ID you found above-`USBSTOR\DiskGeneric_Flash_Disk______8.07`. -5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - 
_Prevent Device IDs list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install. -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'. +### Testing scenario 4 -### Testing the scenario +1. If you haven't completed step #8, follow these steps: -1. If you haven't completed step #8 – follow these steps: - - - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. + - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device". - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. - +1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive @@ -586,15 +549,15 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB thumb-drive available to test the policy with. +1. Have a USB thumb-drive available to test the policy with. -### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive +### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive -Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: - USB Bus Devices (hubs and host controllers) - Class = USB @@ -610,16 +573,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: -- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 -- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 -- “Generic USB Hub” -> USB\USB20_HUB - +- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03 +- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30 +- "Generic USB Hub" -> USB\USB20_HUB + 
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ @@ -629,50 +592,50 @@ These devices are internal devices on the machine that define the USB port conne > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter both USB classes GUID you found above with the curly braces: +1. Enter both USB classes GUID you found above with the curly braces: > {36fc9e60-c465-11cf-8056-444553540000}/ - > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} + > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. -9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. 
_Apply layered order of evaluation policy_ -10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 +1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation-`USBSTOR\DiskGeneric_Flash_Disk______8.07`. 
_Allowed USB Device IDs list_ -13. Click ‘OK’. +1. Click 'OK'. -14. Click ‘Apply’ on the bottom right of the policy’s window. +1. Click 'Apply' on the bottom right of the policy's window. -15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’. +1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'. -### Testing the scenario +### Testing scenario 5 -You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage +You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage. diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md new file mode 100644 index 0000000000..afc00a6203 --- /dev/null +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -0,0 +1,34 @@ +--- +title: Manage the Settings app with Group Policy +description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. +ms.date: 08/10/2023 +ms.topic: article +--- + +# Manage the Settings app with Group Policy + +You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. + +> [!NOTE] +> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched. + +If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder. + +This policy is available for both User and Computer configurations. + +- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + + + +## Configuring the Group Policy + +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). + +> [!IMPORTANT] +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. + +For example: + +- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. +- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md new file mode 100644 index 0000000000..5c867f498d --- /dev/null +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -0,0 +1,146 @@ +--- +title: Create mandatory user profiles +description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. +ms.date: 08/10/2023 +ms.topic: article +ms.collection: +- highpri +- tier2 +--- + +# Create mandatory user profiles + +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned. + +Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. + +When the server that stores the mandatory profile is unavailable, such as when the user isn't connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user is signed in with a temporary profile. + +User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. + +## Profile extension for each Windows version + +The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it applies to. The following table lists the correct extension for each operating system version. + +| Client operating system version | Server operating system version | Profile extension | +|-------------------------------------|-------------------------------------------------|-------------------| +| Windows XP | Windows Server 2003 Windows Server 2003 R2 | none | +| Windows VistaWindows 7 | Windows Server 2008 Windows Server 2008 R2 | v2 | +| Windows 8 | Windows Server 2012 | v3 | +| Windows 8.1 | Windows Server 2012 R2 | v4 | +| Windows 10, versions 1507 and 1511 | N/A | v5 | +| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 | + +For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning). + +## Mandatory user profile + +First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory. + +### How to create a default user profile + +1. Sign in to a computer running Windows as a member of the local Administrator group. Don't use a domain account. + + > [!NOTE] + > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + +1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. + + > [!NOTE] + > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-articles). + +1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. + +1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/overview-windows-apps). + + > [!NOTE] + > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. + +1. At a command prompt, type the following command and press **ENTER**. + + ```cmd + sysprep /oobe /reboot /generalize /unattend:unattend.xml + ``` + + (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.) + + > [!TIP] + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following: + > + >  + > + > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + +1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges. + +1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and select **Settings** in the **User Profiles** section. + +1. In **User Profiles**, select **Default Profile**, and then select **Copy To**. + +  + +1. In **Copy To**, under **Permitted to use**, select **Change**. + +  + +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, select **Check Names**, and then select **OK**. + +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later. + + - If the device is joined to the domain and you're signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. + +  + + - If the device isn't joined to the domain, you can save the profile locally, and then copy it to the shared folder location. + +1. Select **OK** to copy the default user profile. + +### How to make the user profile mandatory + +1. In File Explorer, open the folder where you stored the copy of the profile. + + > [!NOTE] + > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. + +1. Rename `Ntuser.dat` to `Ntuser.man`. + +### Verify the correct owner for the mandatory profile folders + +1. Open the properties of the "profile.v6" folder. +1. Select the **Security** tab and then select **Advanced**. +1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server. +1. When you set the owner, select **Replace owner on subcontainers and objects** before you select OK. + +## Apply a mandatory user profile to users + +In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server. + +### How to apply a mandatory user profile to users + +1. Open **Active Directory Users and Computers** (dsa.msc). +1. Navigate to the user account that you'll assign the mandatory profile to. +1. Right-click the user name and open **Properties**. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. +1. Select **OK**. + +It may take some time for this change to replicate to all domain controllers. + +## Apply policies to improve sign-in time + +When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. + +| Group Policy setting | Windows 10 | Windows Server 2016 | +|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:| +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ | + +> [!NOTE] +> These Group Policy settings can be applied in Windows Professional edition. + +## Related articles + +- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) +- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) +- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) +- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/client-tools/quick-assist.md similarity index 95% rename from windows/client-management/quick-assist.md rename to windows/client-management/client-tools/quick-assist.md index 4e59e30993..615806cfd5 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,21 +1,12 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. -ms.prod: windows-client +ms.date: 08/10/2023 ms.topic: article -ms.technology: itpro-manage ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -manager: aaroncz -ms.reviewer: pmadrigal -appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later ms.collection: - - highpri - - tier1 -ms.date: 03/06/2023 +- highpri +- tier1 --- # Use Quick Assist to help users @@ -26,9 +17,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. -> [!IMPORTANT] -> Quick Assist is not available in the Azure Government cloud. - ### Authentication The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml new file mode 100644 index 0000000000..311cb0c84f --- /dev/null +++ b/windows/client-management/client-tools/toc.yml @@ -0,0 +1,19 @@ +items: + - name: Windows Tools/Administrative Tools + href: administrative-tools-in-windows.md + - name: Use Quick Assist to help users + href: quick-assist.md + - name: Connect to remote Azure Active Directory-joined PC + href: connect-to-remote-aadj-pc.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md + - name: Manage Device Installation with Group Policy + href: manage-device-installation-with-group-policy.md + - name: Manage the Settings app with Group Policy + href: manage-settings-app-with-group-policy.md + - name: Manage default media removal policy + href: change-default-removal-policy-external-storage-media.md + - name: What version of Windows am I running + href: windows-version-search.md + - name: Windows libraries + href: windows-libraries.md diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md similarity index 71% rename from windows/client-management/windows-libraries.md rename to windows/client-management/client-tools/windows-libraries.md index 89b5f46cfd..43666505af 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,26 +1,18 @@ --- -ms.reviewer: -manager: aaroncz title: Windows Libraries -ms.prod: windows-client -ms.author: vinpa -ms.manager: dongill -ms.technology: itpro-manage -ms.topic: article -author: vinaypamnani-msft description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.date: 09/15/2021 +ms.topic: article +ms.date: 08/10/2023 --- # Windows libraries -> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - -Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. +Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users -Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: +Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users: + - Aggregate content from multiple storage locations into a single, unified presentation. - Enable users to stack and group library contents based on metadata. - Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. @@ -30,6 +22,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators Administrators can configure and control Windows libraries in the following methods: + - Create custom libraries by creating and deploying Library Description (*.library-ms) files. - Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. @@ -48,6 +41,7 @@ Including a folder in a library doesn't physically move or change the storage lo ### Default Libraries and Known Folders The default libraries include: + - Documents - Music - Pictures @@ -57,23 +51,24 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict ### Hiding Default Libraries -Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. ### Default Save Locations for Libraries Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. -### Indexing Requirements and “Basic” Libraries +### Indexing Requirements and "Basic" Libraries Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: + - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. - No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). @@ -81,20 +76,20 @@ If your environment doesn't support caching files locally, you should enable the ### Folder Redirection -While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations The following table shows which locations are supported in Windows libraries. -|Supported Locations|Unsupported Locations| -|---|---| -|Fixed local volumes (NTFS/FAT)|Removable drives| -|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)
Network shares that are accessible through DFS Namespaces or are part of a failover cluster| -|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed
Network Attached Storage (NAS) devices| -||Other data sources: SharePoint, Exchange, etc.| +| Supported Locations | Unsupported Locations | +|--|--| +| Fixed local volumes (NTFS/FAT) | Removable drives | +| Shares that are indexed (departmental servers*, Windows home PCs) | Removable media (such as DVDs)
Network shares that are accessible through DFS Namespaces or are part of a failover cluster | +| Shares that are available offline (redirected folders that use Offline Files) | Network shares that aren't available offline or remotely indexed
Network Attached Storage (NAS) devices | +| | Other data sources: SharePoint, Exchange, etc. | -\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: +\* For shares that are indexed on a departmental server, Windows Search works well in a workgroup or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. @@ -104,14 +99,13 @@ The following table shows which locations are supported in Windows libraries. ### Library Attributes The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): + - Name - Library locations - Order of library locations - Default save location -The library icon can be modified by the administrator or user by directly editing the Library Description schema file. - -See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files. +The library icon can be modified by the administrator or user by directly editing the Library Description schema file. See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. ## See also @@ -127,4 +121,4 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) ### Other resources - [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)) -- [Library Description Schema](/windows/win32/shell/library-schema-entry) \ No newline at end of file +- [Library Description Schema](/windows/win32/shell/library-schema-entry) diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md new file mode 100644 index 0000000000..a9ff816f27 --- /dev/null +++ b/windows/client-management/client-tools/windows-version-search.md @@ -0,0 +1,45 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +ms.date: 08/10/2023 +ms.topic: article +--- + +# What version of Windows am I running? + +The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices. + +In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. + +To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. + +## System Properties + +Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information. + +:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: + +## Using Keyword Search + +You can type the following in the search bar and press **ENTER** to see version details for your device. + +- **"winver"**: + + :::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text."::: + +- **"msinfo"** or **"msinfo32"** to open **System Information**: + + :::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text."::: + +> [!TIP] +> You can also use `winver` or `msinfo32` commands at the command prompt. + +## Using Command Prompt or PowerShell + +- At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER** + + :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text."::: + +- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the following image: + + :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager."::: diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 56b72cdf0a..443c29c949 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -1,22 +1,15 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 05/24/2022 +ms.date: 08/10/2023 +appliesto: +- ✅ Windows 11 --- # Secured-core PC configuration lock -**Applies to** - -- Windows 11 - -In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. +In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. @@ -26,13 +19,11 @@ To summarize, config lock: - Detects drift remediates within seconds - Doesn't prevent malicious attacks +[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)] + ## Configuration Flow -After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). - -## System Requirements - -Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). +After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock doesn't apply. If the device is a secured-core PC, config lock locks the policies listed under [List of locked policies](#list-of-locked-policies). ## Enabling config lock using Microsoft Intune @@ -43,23 +34,24 @@ The steps to turn on config lock using Microsoft Intune are as follows: 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - - **Platform**: Windows 10 and later - - **Profile type**: Templates + - **Platform**: `Windows 10 and later` + - **Profile type**: `Templates` - **Template name**: Custom :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates."::: 1. Name your profile. 1. When you reach the Configuration Settings step, select "Add" and add the following information: - - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock - - **Data type**: Integer - - **Value**: 1 + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock` + - **Data type**: `Integer` + - **Value**: `1` + To turn off config lock, change the value to 0. - :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1."::: + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn-on config lock and the OMA-URI set, along with a Data type of Integer set to a Value of 1."::: 1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices". -1. You'll not need to set any applicability rules for test purposes. +1. You don't need to set any applicability rules for test purposes. 1. Review the Configuration and select "Create" if everything is correct. 1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled. @@ -77,54 +69,54 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m - Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. -### List of locked policies +## List of locked policies -|**CSPs** | -|-----| -|[BitLocker](mdm/bitlocker-csp.md) | -|[PassportForWork](mdm/passportforwork-csp.md) | -|[WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) | -|[ApplicationControl](mdm/applicationcontrol-csp.md) +| **CSPs** | +|-------------------------------------------------------------------------------| +| [BitLocker](mdm/bitlocker-csp.md) | +| [PassportForWork](mdm/passportforwork-csp.md) | +| [WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) | +| [ApplicationControl](mdm/applicationcontrol-csp.md) | -|**MDM policies** | **Supported by Group Policy** | -|-----|-----| -|[DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No | -|[DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No | -|[DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes | -|[WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md)| Yes | -|[WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md)| Yes | -|[SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes | -|[SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes | +| **MDM policies** | **Supported by Group Policy** | +|-----------------------------------------------------------------------------------------------------------------------------|-------------------------------| +| [DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No | +| [DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No | +| [DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes | +| [WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md) | Yes | +| [SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes | +| [SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes | diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md new file mode 100644 index 0000000000..3121be77f0 --- /dev/null +++ b/windows/client-management/declared-configuration-extensibility.md @@ -0,0 +1,251 @@ +--- +title: Declared configuration extensibility +description: Learn more about declared configuration extensibility through native WMI providers. +ms.date: 09/26/2023 +ms.topic: how-to +--- + +# Declared configuration extensibility providers + +The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties. + +> [!NOTE] +> Only string properties are currently supported by extensibility providers. + +```mof +[static, Description ("Get resource state based on input configuration file." )] +uint32 GetTargetResource( + [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied.")] + string InputResource, + [in, Description ("Flags passed to the provider. Reserved for future use." )] + uint32 Flags, + [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )] + string OutputResource +); + +[static, Description ("Test resource state based on input configuration file." )] +uint32 TestTargetResource( + [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document to be applied." )] + string InputResource, + [in, Description ("Flags passed to the provider. reserved for future use." )] + uint32 Flags, + [out, Description ("True if identical. False otherwise." )] + boolean Result, + [out, Description ("Context information the provider can use to optimize the set. This is optional." )] + uint64 ProviderContext +); + +[static, Description ("Set resource state based on input configuration file." )] +uint32 SetTargetResource( + [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), + Description ("Configuration document to be applied." )] + string InputResource, + [in, Description ("Context information the provider can use to optimize the set from SetTargetResource. This is optional." )] + uint64 ProviderContext, + [in, Description ("Flags passed to the provider. reserved for future use." )] + uint32 Flags +); +``` + +## Author desired state configuration resources + +To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement. + +1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource. +2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool. +3. Edit the required files and include the correct file names and class names. +4. Invoke the provider generator tool to generate the provider's project files. +5. Copy the generated files into the provider's project folder. +6. Start the development process. + +## Example + +This example provides more details about each step to demonstrate how to implement a sample native resource named `MSFT_FileDirectoryConfiguration`. + +### Step 1: Create the resource schema MOF file + +Create a sample schema MOF file used to generate the initial source code for the `MSFT_FileDirectoryConfiguration` native resource. Place it in the project directory named `MSFT_FileDirectoryConfiguration`. + +```mof +#pragma include ("cim_schema_2.26.0.mof") +#pragma include ("OMI_BaseResource.mof") +#pragma include ("MSFT_Credential.mof") + +[ClassVersion("1.0.0"), Description("The configuration provider for files and directories.")] +class MSFT_FileDirectoryConfiguration : OMI_BaseResource +{ + [Key, Description("File name and path on target node to copy or create.")] + string DestinationPath; + + [Write, Description("The name and path of the file to copy from.")] + string SourcePath; + + [Write, Description("Contains a string that represents the contents of the file. To create an empty file, the string must be empty. The contents will be written and compared using UTF-8 character encoding.")] + string Contents; + + [static, Description ("Get resource states based on input configuration file." )] + uint32 GetTargetResource( + [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied." )] + string InputResource, + + [in,Description ("Flags passed to the providers. Reserved for future use." )] + uint32 Flags, + + [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )] + string OutputResource + ); + + [static, Description ("Test resource states based on input configuration file." )] + uint32 TestTargetResource( + [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )] + string InputResource, + + [in, Description ("Flags passed to the providers. reserved for future use." )] + uint32 Flags, + + [out, Description ("True if identical. False otherwise." )] + boolean Result, + + [out, Description ("Context information that the provider can use to optimize the set, This is optional." )] + uint64 ProviderContext + ); + + [static, Description ("Set resource states based on input configuration file." )] + uint32 SetTargetResource( + [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )] + string InputResource, + + [in, Description ("Context information that the provider can use to optimize the set from TestTargetResource, This is optional." )] + uint64 ProviderContext, + + [in, Description ("Flags passed to the providers. reserved for future use." )] + uint32 Flags + ); +}; +``` + +> [!NOTE] +> +> - The class name and DLL file name should be the same, as defined in the `Provider.DEF` file. +> - The type qualifier `[Key]` on a property indicates that it uniquely identifies the resource instance. At least one `[Key]` property is required. +> - The `[Required]` qualifier indicates that the property is required. In other words, a value must be specified in any configuration script that uses this resource. +> - The `[write]` qualifier indicates that the property is optional when using the custom resource in a configuration script. The `[read]` qualifier indicates that a property can't be set by a configuration, and is for reporting purposes only. +> - The `[Values]` qualifier restricts the values that can be assigned to the property. Define the list of allowed values in `[ValueMap]`. For more information, see [ValueMap and value qualifiers](/windows/win32/wmisdk/value-map). +> - Any new MOF file should include the following lines at the top of the file: +> +> ```mof +> #pragma include ("cim_schema_2.26.0.mof") +> #pragma include ("OMI_BaseResource.mof") +> #pragma include ("MSFT_Credential.mof") +> ``` +> +> - Method names and its parameters should be same for every resource. Change `MSFT_FileDirectoryConfiguration` from EmbeddedInstance value to the class name of the desired provider. There should be only one provider per MOF file. + +### Step 2: Copy the schema MOF files + +Copy these required files and folders to the project directory you created in step 1: + +- `CIM-2.26.0` +- `codegen.cmd` +- `Convert-MofToProvider.exe` +- `MSFT_Credential.mof` +- `MSFT_DSCResource.mof` +- `OMI_BaseResource.mof` +- `OMI_Errors.mof` +- `Provider.DEF` +- `wmicodegen.dll` + +For more information on how to obtain the required files, see [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). + +### Step 3: Edit the required files + +Modify the following files in the project directory: + +- `MSFT_FileDirectoryConfiguration.mof`: You created this file in step 1. +- `Provider.DEF`: This file contains the DLL name, for example, `MSFT_FileDirectoryConfiguration.dll`. +- `codegen.cmd`: This file contains the command to invoke `convert-moftoprovider.exe`. + + ```cmd + "convert-moftoprovider.exe" ^ + -MofFile MSFT_FileDirectoryConfiguration.mof ^ + MSFT_DSCResource.mof ^ + OMI_Errors.mof ^ + -ClassList MSFT_FileDirectoryConfiguration ^ + -IncludePath CIM-2.26.0 ^ + -ExtraClass OMI_Error ^ + MSFT_DSCResource ^ + -OutPath temp + ``` + +### Step 4: Run the provider generator tool + +Run `codegen.cmd`, which runs the `convert-moftoprovider.exe` command. Alternatively, you can run the command directly. + +### Step 5: Copy the generated source files + +The command in step 3 specifies the `-OutPath` parameter, which in this example is a folder named `temp`. When you run the tool in step 4, it creates new files in this folder. Copy the generated files from this `temp` folder to the project directory. You created the project directory in step 1, which in this example is `MSFT_FileDirectoryConfiguration`. + +> [!NOTE] +> Any time you update the schema MOF file, run the `codegen.cmd` script to regenerate the source files. Rerunning the generator tool overwrites any existing the source files. To prevent this behavior, this example uses a temporary folder. Minimize updates to the schema MOF file since the main implementation should be merged with the most recent auto-generated source files. + +### About the `MSFT_FileDirectoryConfiguration` resource + +After you run the provider generator tool, it creates several source and header files: + +- `MSFT_FileDirectoryConfiguration.c` +- `MSFT_FileDirectoryConfiguration.h` +- `module.c` +- `schema.c` +- `WMIAdapter.c` + +From this list, you only need to modify `MSFT_FileDirectoryConfiguration.c` and `MSFT_FileDirectoryConfiguration.h`. You can also change the extension for the source files from `.c` to `.cpp`, which is the case for this resource. The business logic for this resource is implemented in `MSFT_FileDirectoryConfigurationImp.cpp` and `MSFT_FileDirectoryConfigurationImp.h`. These new files are added to the `MSFT_FileDirectoryConfiguration` project directory after you run the provider generator tool. + +For a native desired state configuration resource, you have to implement three autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp`: + +- `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` +- `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource` +- `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource` + +From these three functions, only `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` is required for a Get scenario. `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource` and `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource` are used when remediation is needed. + +There are several other autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp` that don't need implementation for a native desired state configuration resource. You don't need to modify the following functions: + +- `MSFT_FileDirectoryConfiguration_Load` +- `MSFT_FileDirectoryConfiguration_Unload` +- `MSFT_FileDirectoryConfiguration_EnumerateInstances` +- `MSFT_FileDirectoryConfiguration_GetInstance` +- `MSFT_FileDirectoryConfiguration_CreateInstance` +- `MSFT_FileDirectoryConfiguration_ModifyInstance` +- `MSFT_FileDirectoryConfiguration_DeleteInstance` + +### About `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` + +The `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` function does the following steps to complete its task: + +1. Validate the input resource. +1. Ensure the keys and required parameters are present. +1. Create a resource instance that is used as the output of the Get method. This instance is of type `MSFT_FileDirectoryConfiguration`, which is derived from `MI_Instance`. +1. Create the output resource instance from the modified resource instance and return it to the MI client by calling these functions: + + - `MSFT_FileDirectoryConfiguration_GetTargetResource_Construct` + - `MSFT_FileDirectoryConfiguration_GetTargetResource_SetPtr_OutputResource` + - `MSFT_FileDirectoryConfiguration_GetTargetResource_Set_MIReturn` + - `MSFT_FileDirectoryConfiguration_GetTargetResource_Post` + - `MSFT_FileDirectoryConfiguration_GetTargetResource_Destruct` + +1. Clean up resources, for example, free allocated memory. + +## MI implementation references + +- [Introducing the management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api) +- [Implementing MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview) +- [Implementing MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema) +- [Implementing MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code) +- [Implementing MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute) +- [Implementing MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement) +- [Implementing MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug) +- [MI interfaces](/previous-versions/windows/desktop/wmi_v2/mi-interfaces) +- [MI datatypes](/previous-versions/windows/desktop/wmi_v2/mi-datatypes) +- [MI structures and unions](/previous-versions/windows/desktop/wmi_v2/mi-structures-and-unions) +- [MI_Result enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_result) +- [MI_Type enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_type) diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md new file mode 100644 index 0000000000..f655d1ae19 --- /dev/null +++ b/windows/client-management/declared-configuration.md @@ -0,0 +1,65 @@ +--- +title: Declared configuration protocol +description: Learn more about using declared configuration protocol for desired state management of Windows devices. +ms.date: 09/26/2023 +ms.topic: overview +--- + +# What is the declared configuration protocol + +The declared configuration protocol is based on a desired state device configuration model, though it still uses the underlying OMA-DM Syncml protocol. Through a dedicated OMA-DM server, it provides all the settings in a single batch through this protocol. The device's declared configuration client stack can reason over the settings to achieve the desired scenario in the most efficient and reliable manner. + +The declared configuration protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary MDM server. This other enrollment separates the desired state management functionality from the primary functionality. The declared configuration enrollment's first desired state management model feature is called [extensibility](declared-configuration-extensibility.md). + +:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the declared configuration model."::: + +With the [Declared Configuration CSP](mdm/declaredconfiguration-csp.md), the OMA-DM server can provide the device with the complete collection of setting names and associated values based on a specified scenario. The declared configuration stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario. + +The benefit of the declared configuration desired state model is that it's efficient and accurate, especially since it's the responsibility of the declared configuration client to configure the device. The efficiency of declared configuration is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the declared configuration protocol has low latency. As for configuration quality and accuracy, the declared configuration client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario. + +## Declared configuration enrollment + +[Mobile Device Enrollment Protocol version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) describes enrollment including discovery, which covers the primary and declared configuration enrollments. The device uses the following new [DMClient CSP](mdm/dmclient-csp.md) policies for declared configuration dual enrollment: + +- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll) +- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll) +- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus) +- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror) +- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint) + +The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**: + +```xml +
- -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment. - -**Update/ScheduleImminentRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -Supported values are 15, 30, or 60 (minutes). - -The default value is 15 (minutes). - -**Update/ScheduledInstallDay** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - -**Update/ScheduledInstallTime** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - -**Update/ScheduleRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. - -Supported values are 2, 4, 8, 12, or 24 (hours). - -The default value is 4 (hours). - -**Update/SetAutoRestartNotificationDisable** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -**Update/UpdateServiceUrl** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -> [!Important] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - -Example - -```xml -
32: systems take Feature Updates on the Current Branch for Business
Other value or absent: receive all applicable updates (CB)| -|DeferQualityUpdates|REG_DWORD|1: defer quality updates
Other value or absent: don’t defer quality updates| -|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates| -|PauseQualityUpdates|REG_DWORD|1: pause quality updates
Other value or absent: don’t pause quality updates| -|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don’t defer feature updates| -|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| -|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don’t pause feature updates| -|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers| - -Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. - -- Update/RequireDeferUpgrade -- Update/DeferUpgradePeriod -- Update/DeferUpdatePeriod -- Update/PauseDeferrals - -## Update management user experience screenshot - -The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. - - - - - - -## SyncML example +### SyncML example Set auto update to notify and defer. @@ -929,16 +179,21 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. - +:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3."::: - +:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4"::: - +:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5"::: - +:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6"::: - +:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7"::: - +:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8"::: - +:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9"::: + +## Related articles + +- [Policy CSP - Update](mdm/policy-csp-update.md) +- [Policy configuration service provider](mdm/policy-configuration-service-provider.md) diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 371357b658..9b12683d3e 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,59 +1,39 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: - - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 08/10/2023 --- # Disconnecting from the management infrastructure (unenrollment) -The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. -The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as leaving the company or getting a new device or not needing access to their LOB apps on the old device anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. During disconnection, the client executes the following tasks: -- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. -- Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies applied by the management infrastructure. -- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. - - -## In this topic - -- [User-initiated disconnection](#user-initiated-disconnection) -- [Server-initiated disconnection](#server-initiated-disconnection) -- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) -- [IT admin–requested disconnection](#it-admin-requested-disconnection) -- [Unenrollment from Azure Active Directory Join](#dataloss) - +- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. +- Removes certificates that are configured by MDM server. +- Ceases enforcement of the settings policies applied by the management infrastructure. +- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). - The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. -The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. +The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article. -``` +```xml