deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
Joey Caparas 2017-08-17 13:32:42 -07:00
parent b102444f23
commit cfdebbc850
192 changed files with 3930 additions and 609 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -7647,7 +7647,7 @@
},
{
"source_path": "windows/manage/manage-corporate-devices.md",
"redirect_url": "/windows/client-management/manage-corporate-devices",
"redirect_url": "/windows/client-management/index",
"redirect_document_id": true
},
{

140
bcs/index.md
View File

@ -4,6 +4,7 @@ hide_bc: true
author: CelesteDG
ms.author: celested
ms.topic: hub-page
ms.localizationpriority: high
audience: microsoft-business 
title: Microsoft 365 Business documentation and resources
description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners.
@ -12,7 +13,7 @@ description: Learn about the product documentation and resources available for M
<div class="container">
<ul class="cardsY panelContent featuredContent">
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -30,7 +31,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -40,7 +41,7 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<span class="likeAnH3">For Partners and IT admins:<br />Get Started with Microsoft 365 Business</span>
<span class="likeAnH3">For Partners and IT admins:<br />Get started with Microsoft 365 Business</span>
</div>
</div>
</div>
@ -56,7 +57,7 @@ description: Learn about the product documentation and resources available for M
<a href="#partner-it">Partner/IT admin</a>
<ul id="partner-it">
<li>
<a data-default="true" href="#getstarted">Get Started</a>
<a data-default="true" href="#getstarted">Get started</a>
<ul id="getstarted" class="cardsC">
<li class="fullSpan">
<div class="container intro">
@ -64,7 +65,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -74,8 +75,8 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Learn about Microsoft 365 Business</h3>
<p>Want to learn more about Microsoft 365 Business? Start here.</p>
<h3>Why Microsoft 365 Business?</h3>
<p>Learn how Microsoft 365 Business can empower your team, safeguard your business, and simplify IT management with a single solution.</p>
</div>
</div>
</div>
@ -83,7 +84,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="support/microsoft-365-business-faqs.md">
<a href="support/microsoft-365-business-faqs.md" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -102,7 +103,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -131,7 +132,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce">
<a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -150,7 +151,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e">
<a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -179,7 +180,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804">
<a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -198,7 +199,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46">
<a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -217,7 +218,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">
<a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -236,7 +237,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">
<a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -265,7 +266,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d">
<a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -284,7 +285,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99">
<a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -332,7 +333,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="#">
<a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -342,8 +343,8 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Identity migration</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">Azure AD Connect</a>, or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
<h3>Identity migration with Azure AD Connect</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using Azure AD Connect.<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
</div>
</div>
</div>
@ -351,7 +352,26 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
</div>
</div>
<div class="cardText">
<h3>Identity migration with minimal hybrid migration</h3>
<p>Or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using minimal hybrid migration.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -380,7 +400,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://www.microsoft.com/solution-providers/search">
<a href="https://www.microsoft.com/solution-providers/search" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -398,6 +418,25 @@ description: Learn about the product documentation and resources available for M
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
@ -417,25 +456,6 @@ description: Learn about the product documentation and resources available for M
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support - Coming soon</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
<li>
@ -468,7 +488,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://docs.microsoft.com/windows">
<a href="https://docs.microsoft.com/en-us/windows/windows-10/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -479,7 +499,7 @@ description: Learn about the product documentation and resources available for M
</div>
<div class="cardText">
<h3>Windows 10</h3>
<p>Learn more about Windows 10.</p>
<p>Find out what's new, how to apply custom configurations to devices, managing apps, deployment, and more.</p>
</div>
</div>
</div>
@ -487,7 +507,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://msdn.microsoft.com/partner-center/autopilot">
<a href="https://msdn.microsoft.com/partner-center/autopilot" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -516,7 +536,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec">
<a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -535,7 +555,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207">
<a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -575,7 +595,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f">
<a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -594,7 +614,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c">
<a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -613,7 +633,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896">
<a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -632,7 +652,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40">
<a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -651,7 +671,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91">
<a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -690,7 +710,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc">
<a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -709,7 +729,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7">
<a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -728,7 +748,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -747,7 +767,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/c654bd23-d256-4ac7-8fba-0c993bf5a771">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -776,7 +796,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://support.office.com">
<a href="http://support.office.com" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -795,7 +815,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="http://support.microsoft.com/products/windows">
<a href="http://support.microsoft.com/products/windows" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -829,7 +849,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -848,7 +868,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="support/microsoft-365-business-faqs.md">
<a href="support/microsoft-365-business-faqs.md" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -867,7 +887,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://www.microsoft.com/solution-providers/search">
<a href="https://www.microsoft.com/solution-providers/search" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

8
bcs/support/microsoft-365-business-faqs.md
View File

@ -5,9 +5,10 @@ author: CelesteDG 
ms.author: celested 
ms.topic: article 
ms.prod: microsoft-365-business
ms.localizationpriority: high
audience: microsoft-business 
keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
ms.date: 07/10/2017
ms.date: 08/04/2017
---
# Microsoft 365 Business Frequently Asked Questions
@ -147,7 +148,7 @@ Who has access to the Microsoft 365 Business preview?
The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
Im an existing Office 365 customer. Can I access the Microsoft 365 Business preview?
--------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
@ -185,8 +186,9 @@ Is there any charge for the Microsoft 365 Business preview?
No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
Im an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
------------------------------------------------------------------------------------------------------------------------------------------
Customers will continue to be charged for any active Office 365 plan to which they are subscribed.
The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
What is the best way to deploy Microsoft 365 Business in my organization?
--------------------------------------------------------------------------

16
browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
View File

@ -1,13 +1,15 @@
---
ms.localizationpriority: low
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
author: eross-msft
ms.prod: ie11
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---
@ -23,7 +25,7 @@ ms.sitesec: library
You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance.
The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
**How Internet Explorer 11 looks for an updated site list**

BIN
browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 39 KiB

BIN
browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 18 KiB

25
browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
View File

@ -1,13 +1,20 @@
---
ms.localizationpriority: low
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
description: How to turn on Enterprise Mode and specify a site list.
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: How to turn on Enterprise Mode and specify a site list.
author: eross-msft
ms.prod: ie11
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---
@ -23,8 +30,8 @@ ms.sitesec: library
Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 wont look for an updated list again until you restart the browser.
**Note**<br>
We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
>[!NOTE]
>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**To turn on Enterprise Mode using Group Policy**
@ -45,7 +52,7 @@ Turning this setting on also requires you to create and store a site list. For m
![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
- **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"`
- **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
- **Local network:** `"SiteList"="\\network\shares\sites.xml"`

14
devices/surface-hub/accessibility-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.pagetype: surfacehub
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/19/2017
ms.date: 08/17/2017
ms.localizationpriority: medium
---
@ -24,7 +24,6 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Accessibility feature | Default settings |
| --------------------- | ----------------- |
| Narrator | Off |
| Magnifier | Off |
| High contrast | No theme selected |
| Closed captions | Defaults selected for Font and Background and window |
@ -32,6 +31,17 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
The accessibility feature Narrator is not available in the **Settings** app. By default, Narrator is turned off. To change the default settings for Narrator, perform the following steps using a keyboard and mouse.
1. Dismiss the Welcome screen.
2. Open **Quick Actions** > **Ease of Access** from the status bar.
![Screenshot of Ease of Access tile](images/ease-of-access.png)
3. Turn Narrator on.
4. Click **Task Switcher**.
5. Select **Narrator Settings** from Task Switcher. You can now edit the default Narrator settings.
Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
- Narrator
- Magnifier

8
devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 06/19/2017
ms.date: 08/16/2017
ms.localizationpriority: medium
---
@ -465,7 +465,7 @@ PrintAction "Configuring password not to expire..."
Start-Sleep -s 20
try
{
Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true
Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true
}
catch
{
@ -1243,7 +1243,7 @@ if (!$fExIsOnline)
}
$strAlias = $mailbox.Alias
$strAlias = $mailbox.UserPrincipalName
$strDisplayName = $mailbox.DisplayName
$strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null
@ -1424,7 +1424,7 @@ if ($fHasOnPrem)
else
{
#AD User enabled validation
$accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
$accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
}
$strOnPremUpn = $accountOnPrem.UserPrincipalName
Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user"

9
devices/surface-hub/change-history-surface-hub.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 06/19/2017
ms.date: 08/17/2017
ms.localizationpriority: medium
---
@ -16,6 +16,13 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
## August 2017
New or changed topic | Description
--- | ---
[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
## July 2017
| New or changed topic | Description |

BIN
devices/surface-hub/images/ease-of-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

14
devices/surface-hub/miracast-over-infrastructure.md
View File

@ -1,6 +1,6 @@
---
title: Miracast on existing wireless network or LAN
description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
description: Windows 10 enables you to send a Miracast stream over a local network.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -32,13 +32,15 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
## Enabling Miracast over Infrastructure
If you have a Surface Hub that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
- The Surface Hub needs to be running Windows 10, version 1703.
- The Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- The DNS Hostname (device name) of the Surface Hub needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- PCs need to be running Windows 10, version 1703.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and dont have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.

5
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
## Prepare for first-run program

2
education/windows/change-history-edu.md
View File

@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017

34
education/windows/take-a-test-app-technical.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 07/28/2017
ms.date: 08/07/2017
---
# Take a Test app technical reference
@ -51,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
## Group Policy
To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
| Functionality | Group Policy path | Policy |
| --- | --- | --- |
| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
## Allowed functionality
When Take a Test is running, the following functionality is available to students:
@ -75,26 +87,6 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Policies
If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
**Group Policy name:** Do not display the lock screen <br />
**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
 
```
<policy name="CPL_Personalization_NoLockScreen" class="Machine"
        displayName="$(string.CPL_Personalization_NoLockScreen)"
        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
        key="Software\Policies\Microsoft\Windows\Personalization"
        valueName="NoLockScreen">
  <parentCategory ref="Personalization" />
  <supportedOn ref="windows:SUPPORTED_Windows8" />
</policy>
```
## Learn more

33
education/windows/test-windows10s-for-edu.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/01/2017
ms.date: 08/07/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@ -77,8 +77,36 @@ Make sure all drivers are installed and working properly on your device running
Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
<!--
| | | |
| - | - | - |
| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
-->
| | | |
| - | - | - |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> |
| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> |
| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> |
| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> |
| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
> [!NOTE]
> We'll update this section with more information so check back again soon.
> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
<!--
* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
@ -172,7 +200,6 @@ To use an installation media to reinstall Windows 10, follow these steps.
Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
<!-- download the Windows 10 S installer from [this Microsoft website](https://go.microsoft.com/fwlink/?linkid=853240). -->
> [!div class="nextstepaction" style="center"]
> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)

4
education/windows/use-set-up-school-pcs-app.md
View File

@ -233,7 +233,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
11. <a name="suspc_pkgready"></a>When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 9** - Provisioning package is ready
@ -246,7 +246,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
13. Click **Next**.
14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
14. <a name="suspc_installpkg"></a>In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.

1
store-for-business/TOC.md
View File

@ -21,6 +21,7 @@
### [Manage private store settings](manage-private-store-settings.md)
### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
## [Device Guard signing portal](device-guard-signing-portal.md)
### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)

14
store-for-business/app-inventory-management-windows-store-for-business.md
View File

@ -7,6 +7,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.date: 06/29/2017
---
# App inventory management for Microsoft Store for Business and Education
@ -166,3 +168,15 @@ You can download offline-licensed apps from your inventory. You'll need to downl
For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
## Manage products programmatically
Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business).
You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to:
- View items in inventory (**Apps & software**)
- Manage licenses - assigning and removing
- Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
> [!NOTE]
> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.

BIN
store-for-business/images/lob-sku.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

155
store-for-business/microsoft-store-for-business-education-powershell-module.md Normal file
View File

@ -0,0 +1,155 @@
---
title: Microsoft Store for Business and Education PowerShell module - preview
description: Preview version of PowerShell module
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
ms.author:
ms.date:
---
# Microsoft Store for Business and Education PowerShell module - preview
**Applies to**
- Windows 10
Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
> [!NOTE]
> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
You can use the PowerShell module to:
- View items you've purchased - shown in **Apps & software**
- Manage licenses - assigning and removing
- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
>[!NOTE]
>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
## Requirements
To use the Microsoft Store for Business and Education PowerShell module, you'll need:
- Administrator permission for the device
- Admin role for Microsoft Store for Business and Education
## Get started with Microsoft Store for Business and Education PowerShell module
All of the **Microsoft Store for Business and Education** PowerShell cmdlets follow the *Verb*-MSStore*Noun* pattern to clearly indicate that they work with **Microsoft Store for Business and Education** PowerShell module. You will need to install the module on your Windows 10 device once and then import it into each PowerShell session you start.
## Install Microsoft Store for Business and Education PowerShell module
> [!NOTE]
> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
```powershell
# Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
Install-Module -Name MSStore
```
## Import MIcrosoft Store for Business and Education PowerShell module into the PowerShell session
Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start.
```powershell
# Import the MSStore module into this session
Import-Module -Name MSStore
```
Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module.
To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant.
```powershell
# Grant MSStore Access to your Microsoft Store for Business and Education
Grant-MSStoreClientAppAccess
```
You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
## View items in Products and Services
Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview.
```powershell
# View items in inventory (Apps & software)
Get-MSStoreInventory
```
>[!TIP]
>**Get-MSStoreInventory** won't return the product name for line-of-business apps. To get the product ID and SKU for a line-of-business app:
>
>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
>2. Click **Manage** and then choose **Apps & software**.
>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
>![Url after apps/ is product id and next is SKU](images/lob-sku.png)
## View people assigned to a product
Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
```powershell
# View products assigned to people
Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
```
> [!Important]
> Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs.
| License Type | Product ID | SKU ID |
| ------------ | -----------| -------|
| Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 |
| Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 |
| Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 |
| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 |
## Assign or reclaim products
Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org.
These commands assign a product to a user and then reclaim it.
```powershell
# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
```
## Assign or reclaim a product with a .csv file
You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module.
**To assign or reclaim seats in bulk:**
```powershell
# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
Add-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
Remove-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
```
## Uninstall Microsoft Store for Business and Education PowerShell module
You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command.
```powershell
# Uninstall the MSStore Module
Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
```

7
store-for-business/sfb-change-history.md
View File

@ -18,6 +18,13 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
## July 2017
| New or changed topic | Description |
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
## June 2017
| New or changed topic | Description |
| -------------------- | ----------- |

63
windows/access-protection/access-control/microsoft-accounts.md
View File

@ -14,20 +14,12 @@ ms.pagetype: security
This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
**Note**  
This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
 
When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
## <a href="" id="bkmk-benefits"></a>How a Microsoft account works
The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the users computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti
**Important**  
Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
 
### How Microsoft accounts are created
To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
There are two methods for creating a Microsoft account:
- **Use an existing email address**.
Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
- **Sign up for a Microsoft email address**.
@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
1. Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
#### Block all consumer Microsoft account user authentication
2. Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added.
However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
By default, this setting is **Disabled**.
This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
The path to this setting is:
Computer Configuration\Administrative Templates\Windows Components\Microsoft account
#### Accounts: Block Microsoft accounts
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
There are two options if this setting is enabled:
- **Users cant add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
- **Users cant add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
By default, this setting is **Not defined**.
The path to this setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
### <a href="" id="bkmk-cfgconnectedaccounts"></a>Configure connected accounts
@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a
**Note**  
Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
 
### <a href="" id="bkmk-provisionaccounts"></a>Provision Microsoft accounts in the enterprise
Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.

5
windows/access-protection/change-history-for-access-protection.md
View File

@ -11,6 +11,11 @@ author: brianlic-msft
# Change history for access protection
This topic lists new and updated topics in the [Access protection](index.md) documentation.
## August 2017
|New or changed topic |Description |
|---------------------|------------|
|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
## March 2017
|New or changed topic |Description |
|---------------------|------------|

20
windows/access-protection/credential-guard/credential-guard-known-issues.md
View File

@ -33,25 +33,13 @@ The following known issues have been fixed by servicing releases made available
- Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
- Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
## Known issues involving third-party applications
The following issue affects the Java GSS API. See the following Oracle bug database article:
- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:

9
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -100,15 +100,6 @@ You can also enable Credential Guard by using the [Device Guard and Credential G
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
### Review Credential Guard performance
**Is Credential Guard running?**

13
windows/access-protection/credential-guard/credential-guard-requirements.md
View File

@ -35,6 +35,19 @@ The Virtualization-based security requires:
- CPU virtualization extensions plus extended page tables
- Windows hypervisor
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
## Application requirements
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.

BIN
windows/access-protection/credential-guard/images/credguard-gp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 32 KiB

12
windows/access-protection/hello-for-business/hello-planning-guide.md
View File

@ -127,11 +127,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
## Planning a Deployment
@ -188,7 +188,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the users credential remain on the on-premises network.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the users credential remain on the on-premises network.
### Multifactor Authentication
@ -204,13 +204,13 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o
You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter.
@ -261,7 +261,7 @@ Review the trust type portion of this section if box **4d** on your planning wor
### Public Key Infrastructure
Public key infrastructure prerequisites already exist on your planning worksheet. These conditions are the minimum requirements for any hybrid our on-premises deployment. Additional conditions may be needed based on your trust type.
Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type.
If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure.

13
windows/access-protection/remote-credential-guard.md
View File

@ -47,12 +47,15 @@ Use the following table to compare different security options for Remote Desktop
## Hardware and software requirements
The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
- They must be joined to an Active Directory domain
- Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
- They must use Kerberos authentication.
- They must be running at least Windows 10, version 1607 or Windows Server 2016.
- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
## Enable Remote Credential Guard

2
windows/application-management/TOC.md
View File

@ -100,5 +100,5 @@
#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [Service Host process refactoring](svchost-service-refactoring.md)
## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Change history for Application management](change-history-for-application-management.md)

2
windows/application-management/change-history-for-application-management.md
View File

@ -18,6 +18,6 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
| [Service Host process refactoring](svchost-service-refactoring.md) | New |
| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |

2
windows/application-management/index.md
View File

@ -13,7 +13,7 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
Learn about managing applications in Window 10 and Windows 10 Mobile clients.
Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
| Topic | Description |

1
windows/client-management/TOC.md
View File

@ -7,6 +7,7 @@
## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile device management for solution providers](mdm/index.md)

14
windows/client-management/index.md
View File

@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind
| Topic | Description |
|---|---|
|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |

3
windows/client-management/mdm/TOC.md
View File

@ -6,6 +6,7 @@
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
@ -199,10 +200,12 @@
#### [ErrorReporting](policy-csp-errorreporting.md)
#### [EventLogService](policy-csp-eventlogservice.md)
#### [Experience](policy-csp-experience.md)
#### [ExploitGuard](policy-csp-exploitguard.md)
#### [Games](policy-csp-games.md)
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)

66
windows/client-management/mdm/applocker-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# AppLocker CSP
@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
 
## Whitelist example
## Whitelist examples
The following example disables the calendar application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>&lt;AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"&gt;&lt;Deny&gt;&lt;App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/&gt;&lt;/Deny&gt;&lt;/AppPolicy&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example blocks the usage of the map application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example for Windows 10 Mobile denies all apps and allows the following apps:

306
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/06/2017
ms.date: 08/14/2017
---
# BitLocker CSP
@ -34,6 +34,11 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
- 0 (default) Storage cards do not need to be encrypted.
- 1 Require Storage cards to be encrypted.
<p style="margin-left: 20px">Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
@ -87,7 +92,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*</li>
<li>GP name: *EncryptionMethodWithXts_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
@ -135,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Require additional authentication at startup*</li>
<li>GP name: *ConfigureAdvancedStartup_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
@ -199,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name:*Configure minimum PIN length for startup*</li>
<li>GP name: *MinimumPINLength_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
@ -234,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Configure pre-boot recovery message and URL*</li>
<li>GP name: *PrebootRecoveryInfo_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
@ -285,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose how BitLocker-protected operating system drives can be recovered*</li>
<li>GP name: *OSRecoveryUsage_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
@ -352,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose how BitLocker-protected fixed drives can be recovered*</li>
<li>GP name: *FDVRecoveryUsage_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
@ -422,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Deny write access to fixed drives not protected by BitLocker*</li>
<li>GP name: *FDVDenyWriteAccess_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
@ -454,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Deny write access to removable drives not protected by BitLocker*</li>
<li>GP name: *RDVDenyWriteAccess_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
@ -495,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```
### SyncML example
@ -659,29 +929,3 @@ The following example is provided to show proper format and should not be taken
</SyncBody>
</SyncML>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```

7
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -183,14 +183,15 @@ The following diagram shows the CM\_CellularEntries configuration service provid
<p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
<p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10)
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10)
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
- Application - 52D7654A-00A8-4140-806C-087D66705306
## Additional information

3
windows/client-management/mdm/devdetail-csp.md
View File

@ -178,6 +178,9 @@ The following diagram shows the DevDetail configuration service provider managem
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
<p style="margin-left: 20px">Supported operation is Get.
## Related topics

22
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# DeviceManageability CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
@ -30,11 +33,24 @@ Interior node.
<a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
<a href="" id="capabilities"></a>**Provider**
Added in Windows 10, version 1709. Interior node.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_**
Added in Windows 10, version 1709. Provider ID of the configuration source.
 
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 
 

107
windows/client-management/mdm/devicemanageability-ddf.md
View File

@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# DeviceManageability DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:
@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
The XML below is for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
<MIME>com.microsoft/1.1/MDM/DeviceManageability</MIME>
</DFType>
</DFProperties>
<Node>
@ -90,9 +93,105 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Provider</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Provider</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<Description>Provider ID String of the Configuration Source</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ConfigInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Configuration Info string value set by the config source. Recommended to be used during sync session.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ConfigInfo</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnrollmentInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>EnrollmentInfo</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 

2
windows/client-management/mdm/devicestatus-csp.md
View File

@ -231,7 +231,7 @@ The value is the number of seconds of battery life remaining when the device is
Supported operation is Get.
<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any).
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
Supported operation is Get.

300
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md Normal file
View File

@ -0,0 +1,300 @@
---
title: Enable ADMX-backed policies in MDM
description: Guide to configuring ADMX-backed policies in MDM
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/11/2017
---
# Enable ADMX-backed policies in MDM
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This is a step-by-step guide to configuring ADMX-backed policies in MDM.
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX-backed policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
## Enable a policy
1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.
- GP English name
- GP name
- GP ADMX file name
- GP path
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch it.
![GPEdit search](images/admx-gpedit-search.png)
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
![App-V policies](images/admx-appv.png)
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
![Enable App-V client](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that does not require any parameter.
In this example you configure **Enable App-V Client** to **Enabled**.
> [!Note]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
</Target>
<Data>&lt;Enabled/&gt;</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description](images/admx-appv-policy-description.png)
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
4. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
Here is the snippet from appv.admx:
``` syntax
<!-- Publishing Server 2 -->
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
<parentCategory ref="CAT_Publishing" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
<text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
<enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
</elements>
</policy>
```
6. From the \<elements> tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
Here is the example XML for Publishing_Server2_Policy :
``` syntax
<data id="Publishing_Server2_Name_Prompt" value="Name"/>
<data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
<data id="Global_Publishing_Refresh_Options" value="1"/>
<data id="Global_Refresh_OnLogon_Options" value="0"/>
<data id="Global_Refresh_Interval_Prompt" value="15"/>
<data id="Global_Refresh_Unit_Options" value="0"/>
<data id="User_Publishing_Refresh_Options" value="0"/>
<data id="User_Refresh_OnLogon_Options" value="0"/>
<data id="User_Refresh_Interval_Prompt" value="15"/>
<data id="User_Refresh_Unit_Options" value="1"/>
```
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here is the example for **AppVirtualization/PublishingAllowServer2**:
> [!Note]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data
id="Publishing_Server_URL_Prompt" value="URL prompt"/><data
id="Global_Publishing_Refresh_Options" value="1"/><data
id="Global_Refresh_OnLogon_Options" value="0"/><data
id="Global_Refresh_Interval_Prompt" value="15"/><data
id="Global_Refresh_Unit_Options" value="0"/><data
id="User_Publishing_Refresh_Options" value="0"/><data
id="User_Refresh_OnLogon_Options" value="0"/><data
id="User_Refresh_Interval_Prompt" value="15"/><data
id="User_Refresh_Unit_Options" value="1"/>]]>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Disable a policy
The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Setting a policy to not configured
The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```

6
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/09/2017
---
# EnterpriseDataProtection CSP
@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Override mode (encrypt, prompt, and audit).
- 3 Block mode (encrypt, block, and audit).
- 2 Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 Hides overrides (encrypt, prompt but hide overrides, and audit).
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.

BIN
windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/client-management/mdm/images/admx-appv-enableapp-vclient.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/admx-appv-policy-description.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/client-management/mdm/images/admx-appv-publishing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/client-management/mdm/images/admx-appv-publishingserver2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/client-management/mdm/images/admx-appv.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/admx-gpedit-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/mdm-enrollment-disable-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-devicemanageability.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.3 KiB

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-devicestatus.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

18
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/11/2017
---
# Mobile device enrollment
@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au
> - Any fixed URIs that are passed during enrollment
> - Specific formatting of any value unless otherwise noted, such as the format of the device ID.
## Enrollment support for domain-joined devices
 
Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
## Prevent MDM enrollments
## Disable MDM enrollments
Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy:
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
Value: DisableRegistration
Using the GP editor, the path is Computer configuration &gt; Administrative Templates &gt; Windows Components &gt; MDM &gt; Disable MDM Enrollment.
## Enrollment scenarios not supported
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**.
- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration

139
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,11 +10,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/28/2017
ms.date: 08/14/2017
---
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -677,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
<li>Update/DetectionFrequency</li>
<li>Update/EngagedRestartDeadline</li>
<li>Update/EngagedRestartSnoozeSchedule</li>
<li>Update/EngagedRestartTransistionSchedule</li>
<li>Update/EngagedRestartTransitionSchedule</li>
<li>Update/IgnoreMOAppDownloadLimit</li>
<li>Update/IgnoreMOUpdateDownloadLimit</li>
<li>Update/PauseFeatureUpdatesStartTime</li>
@ -960,19 +960,52 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</td></tr>
<tr class="even">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709.</p>
<ul>
<li>Added Configuration node</li>
<li>Configuration</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
<ul>
<li>Provider/_ProviderID_/ConfigInfo</li>
<li> Provider/_ProviderID_/EnrollmentInfo</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>CredentialProviders/EnableWindowsAutoPilotResetCredentials</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
<li>DeviceGuard/LsaCfgFlags</li>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Power/DisplayOffTimeoutOnBattery</li>
<li>Power/DisplayOffTimeoutPluggedIn</li>
<li>Power/HibernateTimeoutOnBattery</li>
@ -1280,6 +1313,97 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### August 2017
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)</td>
<td style="vertical-align:top"><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
<td style="vertical-align:top"><p>Added the following statement:</p>
<ul>
<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)</td>
<td style="vertical-align:top"><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
<ul>
<li> 0 (default) Off / No protection (decrypts previously protected data).</li>
<li> 1 Silent mode (encrypt and audit only).</li>
<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AppLocker CSP](applocker-csp.md)</td>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
<ul>
<li>Provider/_ProviderID_/ConfigInfo</li>
<li> Provider/_ProviderID_/EnrollmentInfo</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
</td></tr>
</tbody>
</table>
### July 2017
<table>
@ -1881,11 +2005,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
<li>Update/EngagedRestartDeadline</li>
<li>Update/EngagedRestartSnoozeSchedule</li>
<li>Update/EngagedRestartTransistionSchedule</li>
<li>Update/EngagedRestartTransitionSchedule</li>
<li>Update/SetAutoRestartNotificationDisable</li>
<li>WindowsLogon/HideFastUserSwitching</li>
</ul>

113
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 08/14/2017
---
# Policy CSP
@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a> in BitLocker CSP
</dd>
</dl>
### Bluetooth policies
@ -534,7 +558,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
</dd>
<dd>
<a href="./policy-csp-credentialproviders.md#credentialproviders-enablewindowsautopilotresetcredentials" id="credentialproviders-enablewindowsautopilotresetcredentials">CredentialProviders/EnableWindowsAutoPilotResetCredentials</a>
<a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
</dd>
</dl>
@ -978,6 +1002,14 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### ExploitGuard policies
<dl>
<dd>
<a href="./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings" id="exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
</dd>
</dl>
### Games policies
<dl>
@ -1778,6 +1810,83 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### LocalPoliciesSecurityOptions policies
<dl>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
</dd>
</dl>
### Location policies
<dl>

2
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AboveLock

2
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Accounts

3
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ActiveXControls
@ -66,6 +66,7 @@ Note: Wild card characters cannot be used when specifying the host URLs.
ADMX Info:
- GP english name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ApplicationDefaults

2
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ApplicationManagement

32
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AppVirtualization
@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
ADMX Info:
- GP english name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *Administrative Templates/System/App-V*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
ADMX Info:
- GP english name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
ADMX Info:
- GP english name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *Administrative Templates/System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou
ADMX Info:
- GP english name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *Administrative Templates/System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th
ADMX Info:
- GP english name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
ADMX Info:
- GP english name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *Administrative Templates/System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
ADMX Info:
- GP english name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage
ADMX Info:
- GP english name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific
ADMX Info:
- GP english name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
ADMX Info:
- GP english name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *Administrative Templates/System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -689,8 +702,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
<!--StartADMX-->
ADMX Info:
- GP english name: *Publishing Server 2 Settings*
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store.
ADMX Info:
- GP english name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8
ADMX Info:
- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
ADMX Info:
- GP english name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed.
ADMX Info:
- GP english name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1105,6 +1126,7 @@ Overrides source location for downloading package content.
ADMX Info:
- GP english name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
ADMX Info:
- GP english name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session.
ADMX Info:
- GP english name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard
ADMX Info:
- GP english name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
ADMX Info:
- GP english name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS.
ADMX Info:
- GP english name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
ADMX Info:
- GP english name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->

5
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AttachmentManager
@ -66,6 +66,7 @@ If you do not configure this policy setting, Windows marks file attachments with
ADMX Info:
- GP english name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
@ -117,6 +118,7 @@ If you do not configure this policy setting, Windows hides the check box and Unb
ADMX Info:
- GP english name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
@ -168,6 +170,7 @@ If you do not configure this policy setting, Windows does not call the registere
ADMX Info:
- GP english name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Authentication

5
windows/client-management/mdm/policy-csp-autoplay.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Autoplay
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
ADMX Info:
- GP english name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
@ -122,6 +123,7 @@ If you disable or not configure this policy setting, Windows Vista or later will
ADMX Info:
- GP english name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
@ -181,6 +183,7 @@ Note: This policy setting appears in both the Computer Configuration and User Co
ADMX Info:
- GP english name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->

30
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Bitlocker
@ -58,6 +58,33 @@ ms.date: 07/14/2017
- 6 - XTS-AES 128-bit (Desktop only)
- 7 - XTS-AES 256-bit (Desktop only)
<p style="margin-left: 20px">You can find the following policies in BitLocker CSP:
<dl>
<dd>
<a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
</dd>
</dl>
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
@ -69,4 +96,3 @@ Footnote:
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

2
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Bluetooth

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Browser

2
windows/client-management/mdm/policy-csp-camera.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Camera

3
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Cellular
@ -58,6 +58,7 @@ ms.date: 07/14/2017
ADMX Info:
- GP english name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->

4
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Connectivity
@ -521,6 +521,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
ADMX Info:
- GP english name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
<!--EndADMX-->
@ -564,6 +565,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
<!--EndADMX-->

11
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - CredentialProviders
@ -124,7 +124,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**
<!--StartSKU-->
<table>
@ -150,11 +150,12 @@ ADMX Info:
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
Default value is 0.
- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
<!--EndDescription-->
<!--EndPolicy-->

4
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - CredentialsUI
@ -68,6 +68,7 @@ The policy applies to all Windows components and applications that use the Windo
ADMX Info:
- GP english name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->
@ -117,6 +118,7 @@ If you disable this policy setting, users will always be required to type a user
ADMX Info:
- GP english name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Cryptography

2
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DataProtection

4
windows/client-management/mdm/policy-csp-datausage.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DataUsage
@ -70,6 +70,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
ADMX Info:
- GP english name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->
@ -125,6 +126,7 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
ADMX Info:
- GP english name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Defender

2
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeliveryOptimization

2
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Desktop

2
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceGuard

4
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceInstallation
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, devices can be installed
ADMX Info:
- GP english name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->
@ -113,6 +114,7 @@ If you disable or do not configure this policy setting, Windows can install and
ADMX Info:
- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->

3
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceLock
@ -769,6 +769,7 @@ If you enable this setting, users will no longer be able to modify slide show se
ADMX Info:
- GP english name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-display.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Display

2
windows/client-management/mdm/policy-csp-education.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 08/09/2017
---
# Policy CSP - Education

2
windows/client-management/mdm/policy-csp-enterprisecloudprint.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - EnterpriseCloudPrint

6
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ErrorReporting
@ -123,6 +123,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
ADMX Info:
- GP english name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -176,6 +177,7 @@ See also the Configure Error Reporting policy setting.
ADMX Info:
- GP english name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -225,6 +227,7 @@ If you disable or do not configure this policy setting, then consent policy sett
ADMX Info:
- GP english name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -274,6 +277,7 @@ If you disable or do not configure this policy setting, Windows Error Reporting
ADMX Info:
- GP english name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->

6
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - EventLogService
@ -66,6 +66,7 @@ Note: Old events may or may not be retained according to the "Backup log automat
ADMX Info:
- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -115,6 +116,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -164,6 +166,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -213,6 +216,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Experience

58
windows/client-management/mdm/policy-csp-exploitguard.md Normal file
View File

@ -0,0 +1,58 @@
---
title: Policy CSP - ExploitGuard
description: Policy CSP - ExploitGuard
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/11/2017
---
# Policy CSP - ExploitGuard
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicy-->
<a href="" id="exploitguard-exploitprotectionsettings"></a>**ExploitGuard/ExploitProtectionSettings**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML.
<p style="margin-left: 20px">The system settings require a reboot; the application settings do not require a reboot.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

5
windows/client-management/mdm/policy-csp-games.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Games
@ -22,9 +22,6 @@ ms.date: 07/14/2017
<!--StartPolicy-->
<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**
<!--StartSKU-->
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Placeholder only. Currently not supported.

253
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

File diff suppressed because it is too large Load Diff

7
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Kerberos
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
ADMX Info:
- GP english name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -112,6 +113,7 @@ If you disable or do not configure this policy setting, the client devices will
ADMX Info:
- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -165,6 +167,7 @@ If you disable or do not configure this policy setting, the client computers in
ADMX Info:
- GP english name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -214,6 +217,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
ADMX Info:
- GP english name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -267,6 +271,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
ADMX Info:
- GP english name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-licensing.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Licensing

1025
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md Normal file
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/policy-csp-location.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Location

2
windows/client-management/mdm/policy-csp-lockdown.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - LockDown

2
windows/client-management/mdm/policy-csp-maps.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Maps

2
windows/client-management/mdm/policy-csp-messaging.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Messaging

Some files were not shown because too many files have changed in this diff Show More