deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into atp-new-api

Browse Source
This commit is contained in:
Joey Caparas 2018-10-09 10:55:56 -07:00
commit d0be8b25a7
158 changed files with 8865 additions and 1529 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md",
"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview",
"redirect_document_id": true
},
{
"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility",
"redirect_document_id": true
@ -5421,6 +5426,26 @@
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-microsoft-layout-app.md",
"redirect_url": "/hololens/hololens-microsoft-dynamics-365-layout-app",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md",
"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md",
"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-public-preview-apps.md",
"redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md",
"redirect_url": "/surface-hub/provisioning-packages-for-surface-hub",
"redirect_document_id": true

4
browsers/edge/change-history-for-microsoft-edge.md
View File

@ -41,8 +41,8 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi
| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] |
| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] |
| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] |
| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] |
| New | [Configure kiosk reset after idle timeout](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] |
| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] |
| New | [Configure kiosk reset idle timeout](microsoft-edge-kiosk-mode-deploy.md#configure-kiosk-reset-idle-timeout) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] |
| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] |
| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] |
| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] |

BIN
browsers/edge/images/icon-thin-line-computer.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.4 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

120
browsers/edge/microsoft-edge-kiosk-mode-deploy.md
View File

@ -7,62 +7,68 @@ ms.prod: edge
ms.sitesec: library
title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.date: 10/08/2018
---
# Deploy Microsoft Edge kiosk mode
>Applies to: Microsoft Edge on Windows 10, version 1809
In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk (referred to as Microsoft Edge kiosk mode). We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure.
In the Windows 10 October 2018 Update, we added Microsoft Edge kiosk mode which works with assigned access, locking down a Windows 10 device to only run a single application or multiple applications. It also prevents access to the file system and running executables or other apps from Microsoft Edge. Assigned access lets IT administrators create a tailored browsing experience designed for kiosk devices. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
Microsoft Edge kiosk mode works with assigned access, which lets IT administrators create a tailored browsing experience designed for kiosk devices. Assigned access prevents users from accessing the file system and running other apps from Microsoft Edge, such as the address bar or downloads. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device.
Microsoft Edge kiosk mode supports four configurations types. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device.
In addition to digital/interactive signage, you can configure Microsoft Edge for public browsing either on a single and multi-app kiosk device. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality to run in full-screen mode or normal browsing of Microsoft Edge.
In addition to digital/interactive signage, you can configure Microsoft Edge kiosk mode for public browsing either on a single or multi-app kiosk device. The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge.
Both digital/interactive signage and public browsing help protect the users data by running Microsoft Edge with InPrivate browsing. In single-app public browsing, there is both an End Session button that users click to end the browsing session or that resets the session after a specified time of user inactivity. The idle timer is set to 5 minutes by default, but you can choose a value of your own.
In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
In single-app public browsing, there is an “End session” button and reset after an idle timeout. Both restart Microsoft Edge and clear the users session. The reset after the idle timer is set to 5 minutes by default, but you can choose a value of your own.
In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
## Microsoft Edge kiosk types
Depending on how Microsoft Edge is set up in assigned access, Microsoft Edge kiosk mode supports four types, single-app or multi-app kiosk mode with both supporting public browsing. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
### Single-app kiosk
Microsoft Edge kiosk mode supports four configuration types that depending on how Microsoft Edge is set up with assigned access. Two for single-app kiosk devices (Digital/Interactive signage and Public browsing) and two for multi-app kiosk devices (Public browsing and Normal mode).
When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage).
### Single app
The single-app Microsoft Edge kiosk mode types include:
When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a multi-tab version designed for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage).
1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode.
The single-app Microsoft Edge kiosk mode types are:
- **Digital signage** does not require user interaction and best used for a rotating advertisement or menu.
1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode.
- **Interactive signage**, on the other hand, requires user interaction within the page but doesnt allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station.
- **Digital signage** does not require user interaction and best used for a rotating advertisement or menu.
2. **Public browsing** devices are publicly accessible and run a limited multi-tab version of InPrivate browsing in Microsoft Edge, which is the only app available on the device. Users cant minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge.<p>The single-app public browsing mode is the only kiosk mode that has an End Session button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Use the “Configure kiosk reset after idle timeout” policy to set the idle timer, which is set to 5 minutes by default, but you can provide a value of your own.<p>A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge.
- **Interactive signage**, on the other hand, requires user interaction within the page but doesnt allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station.
2. **Public browsing** runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge. Users cant minimize, close or open a new Microsoft Window. Microsoft Edge is the only app users can use on the device.<p>The single-app public browsing mode is the only kiosk mode that has an End session button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the users session, including any downloads. Use the “Configure kiosk reset after idle timeout” policy to set the idle timer, which is set to 5 minutes by default.<p>A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge.
![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/surface_hub_single-app_browse_kiosk_inframe.png)
### Multi-app kiosk
When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device.
### Multi-app
Microsoft Edge two kiosk mode in multi-app assigned access runs InPrivate mode and a regular browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device.
The multi-app Microsoft Edge kiosk mode types include:
3. **Public browsing** devices are publicly accessible and supports browsing the internet. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality that runs in full-screen mode.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.
3. **Public browsing**, which is similar to the single-app version, runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices running more than one application.<p>Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an “End session” button to clear their browsing session, the user closes Microsoft Edge normally.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.
![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_kiosk_inframe.png)
4. **Normal mode** devices run a full-featured version of Microsoft Edge (referred to as normal browsing).<p>Some features may not work depending on what other apps you have configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
4. **Normal mode** provides all the Microsoft Edge browsing features and preserves the user data and state between sessions.<p>Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. If Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_normal_kiosk_inframe.png)
## Lets get started!
Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using:
- **Windows Settings.** Best for physically setting up a couple of devices as kiosks. You can configure Microsoft Edge in single-app (full-screen or public browsing as the kiosk type) and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout.
Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using:
- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when its running in kiosk mode with assigned access.
- **Windows Settings.** Use to set up a couple of single-app kiosk devices. If you hit the Windows key and type “kiosk” you can setup Microsoft Edge kiosk mode for a single-app (Digital / Interactive signage or Public browsing) expereince and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout.
IMPORTANT: Do not use the Windows 10 Settings to configure multi-app kiosks.
- **Microsoft Intune or other MDM service.** Use to set up several single-app and multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience by using the [supported or available] Microsoft Edge policies. For a list of supported polices see [Supported policies for kiosk mode]().
>[!NOTE]
>For other MDM service, check with your provider for instructions.
@ -73,64 +79,52 @@ Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Ed
### Prerequisites
- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:<p>Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
### Use Windows Settings
### Use Windows Settings
Windows Settings is the simplest and easiest way to set up one or a couple of devices because you perform these steps physically on each device. This method is ideal for small businesses.
When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge, in kiosk mode.
When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode.
1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**.
1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**.
2. On the **Set up a kiosk** page, click **Get started**.
2. On the **Set up a kiosk** page, click **Get started**.
3. Type a name to create a new account or you can choose an existing account and click **Next**.
3. Type a name to create a new account or you can choose an existing account and click **Next**.
4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
5. Select how Microsoft Edge displays when running in kiosk mode:
5. Select how Microsoft Edge displays when running in kiosk mode:
- **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls.
- **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls.
- **As a public browser**, the default URL shows in a browser view with limited browser controls.
- **As a public browser**, the default URL shows in a browser view with
limited browser controls.
6. Select **Next**.
6. Select **Next**.
7. Type the URL to load when the kiosk launches.
7. Type the URL to load when the kiosk launches.
>[!NOTE]
>The URL sets the Home button, Start page, and New Tab page.
>[!NOTE]
>The URL sets the Home button, Start page, and New Tab page.
8. Accept the default value of **5 minutes** for the idle time or provide your own value.
8. Accept the default value of **5 minutes** for the idle time or provide your
own value.
>[!TIP]
>Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL.
>[!TIP]
>Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL.
9. Click **Next**.
9. Click **Next**.
10. Close the **Settings** window to save and apply your choices.
11. Now that you have configured assigned access, selected how Microsoft Edge displays the kiosk, and set the idle timer, you can configure the group policies for Microsoft Edge kiosk mode.
11. Once you've configured the policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration.
>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
>>
>>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
- **[Configure kiosk mode](#configure-kiosk-mode)**: Configure the display mode for Microsoft Edge as a kiosk app. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. For this policy to work, you must configure assigned access; otherwise, Microsoft Edge ignores the settings in this policy.
- **[Configure kiosk reset after idle timeout](#configure-kiosk-reset-idle-timeout)**: Change the time, in minutes, from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. For this policy to work, you must enable the Configure kiosk mode policy (InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access; otherwise, Microsoft Edge ignores this setting.
- **[Additional policies for kiosk mode](#additional-policies-for-kiosk-mode)**: We have other new and existing policies that work with Microsoft Edge kiosk mode, such as Allow cookies, Allow printing, Configure Home button, and Configure telemetry for Microsoft 365 analytics. At this time, only a few features work in all kiosk types, for example, Unlock Home button works only in normal browsing.
12. Once you've configured the group policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration.
**_Congratulations!_** Youve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured the group policies for Microsoft Edge kiosk mode.
*Congratulations!* Youve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured Microsoft Edge kiosk mode.
**_Next steps._**
@ -142,14 +136,14 @@ When you set up a single-app kiosk device using Windows Settings, you must first
### Use Microsoft Intune or other MDM service
With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device.
With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device.
>[!IMPORTANT]
>If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk.
>If you are using a local account as a kiosk account in Microsoft Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk.
1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device.
2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
| | |
|---|---|
@ -203,9 +197,9 @@ With this method, you can use a provisioning package to configure Microsoft Edge
---
## Microsoft Edge kiosk mode policies
## Relevant policies
We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure.
We added new Microsoft Edge policies to configure the kiosk mode type as well as the idle timer. For these polices to work correctly, you must set up Microsoft Edge in assigned access.
### Configure kiosk mode
[!INCLUDE [configure-microsoft-edge-kiosk-mode-include](includes/configure-microsoft-edge-kiosk-mode-include.md)]
@ -213,7 +207,7 @@ We added and updated Microsoft Edge group policies to enhance the kiosk experien
### Configure kiosk reset idle timeout
[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include](includes/configure-edge-kiosk-reset-idle-timeout-include.md)]
### Additional policies for kiosk mode
### Supported policies for kiosk mode
Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser).

3
devices/hololens/TOC.md
View File

@ -10,8 +10,5 @@
## [Share HoloLens with multiple people](hololens-multiple-users.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md)
### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md)
### [Microsoft Layout app](hololens-microsoft-layout-app.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

10
devices/hololens/change-history-hololens.md
View File

@ -9,13 +9,21 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2018
ms.date: 10/08/2018
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## October 2018
New or changed topic | Description
--- | ---
[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Removed, and redirected to [Mixed reality apps](https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps)
[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | Removed, and redirected to [Overview of Dynamics 365 Remote Assist](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/)
[Microsoft Dynamics 365 Layout app](hololens-microsoft-dynamics-365-layout-app.md) | Removed, and redirected to [Overview of Dynamics 365 Layout](https://docs.microsoft.com/dynamics365/mixed-reality/layout/)
## July 2018
New or changed topic | Description

2
devices/hololens/hololens-insider.md
View File

@ -27,7 +27,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted,
## New features for HoloLens
The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes).
The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018).
### For everyone

73
devices/hololens/hololens-microsoft-layout-app.md
View File

@ -1,73 +0,0 @@
---
title: Microsoft Layout
description: How to get and deploy the Microsoft Layout app throughout your organization
ms.prod: hololens
ms.sitesec: library
author: alhopper-msft
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/21/2018
---
# Microsoft Layout
Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money.
## Device options and technical requirements
Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization.
### Device options
Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers.
#### HoloLens requirements
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. |
#### Windows Mixed Reality headset requirements
| Requirements | Details |
|:----------------------------------------------|:-----------------------------------------------------------|
| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. |
| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. |
### Technical requirements
Have the following technical requirements in place to start using Microsoft Layout.
| Requirement | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | |
| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.<br/><br/>A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md) <br/><br/>[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) |
| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) |
## Get and deploy Microsoft Layout
Microsoft Layout is available from the Microsoft Store for Business for free for a limited time:
1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business.
1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store.
1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps.
For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free.
### Get and deploy the Import Tool for Microsoft Layout
The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset.
The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time:
* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization.
* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC.
## Use Microsoft Layout
For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437).
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

64
devices/hololens/hololens-microsoft-remote-assist-app.md
View File

@ -1,64 +0,0 @@
---
title: Microsoft Remote Assist
description: How to get and deploy the Microsoft Remote Assist app throughout your organization
ms.prod: hololens
ms.sitesec: library
author: alhopper-msft
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/22/2018
---
# Microsoft Remote Assist
Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind.
## Technical requirements
Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization.
### Device requirements
| Device | OS requirements | Details |
|:---------------------------|:----------------------------------|:-----------------------------------------------------------|
| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. |
| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. |
> [!Note]
> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available.
### Licensing & product requirements
| Product required | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) |
| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) |
### Network requirements
1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your companys network bandwidth, follow these steps:
1. Have a Teams user video call another Teams user.
2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user.
3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time.
See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more.
## Get and deploy Microsoft Remote Assist
Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time:
1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business.
1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store.
1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps.
For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free.
## Use Microsoft Remote Assist
For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812).
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

31
devices/hololens/hololens-public-preview-apps.md
View File

@ -1,31 +0,0 @@
---
title: Preview new mixed reality apps for HoloLens
description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview
ms.prod: hololens
ms.sitesec: library
author: alhopper
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/21/2018
---
# Preview new mixed reality apps for HoloLens
Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout.
The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**.
Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners.
Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps.
## In this section
| Topic | Description |
| --- | --- |
| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. |
| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. |
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

1
devices/hololens/index.md
View File

@ -32,7 +32,6 @@ ms.date: 07/27/2018
[Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens |
| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview |
| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens |
| [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. |

2
devices/surface/battery-limit.md
View File

@ -19,7 +19,7 @@ Battery Limit option is a UEFI setting that changes how the Surface device batte
Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity.
Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [support article](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models.
Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models.
## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later)

23
mdop/appv-v5/how-to-create-and-use-a-project-template.md
View File

@ -19,8 +19,6 @@ You can use an App-V 5.0 project template to save commonly applied settings asso
**Note**  
You can, and often should apply an App-V 5.0 project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application.
 
App-V 5.0 project templates differ from App-V 5.0 Application Accelerators because App-V 5.0 Application Accelerators are application-specific, and App-V 5.0 project templates can be applied to multiple applications.
Use the following procedures to create and apply a new template.
@ -29,25 +27,20 @@ Use the following procedures to create and apply a new template.
1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. **Note**  
**Note**  
If the virtual application package is currently open in the App-V 5.0 Sequencer console, skip to step 3 of this procedure.
 
To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
2. To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
3. In the App-V 5.0 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.0 project template. Click Save.
The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure.
The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure.
**To apply a project template**
1. **Important**  
**Important**  
Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported.
 
To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. To create or upgrade a new virtual application package by using an App-V 5.0 project template, click **File** / **New From Template**.
@ -62,9 +55,9 @@ Use the following procedures to create and apply a new template.
[Operations for App-V 5.0](operations-for-app-v-50.md)
 
 

2
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -47,7 +47,7 @@ While not required, you can use a management tool to distribute and manage apps.
## Proxy configuration
If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store either to acquire, install, or update apps will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs:
If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store either to acquire, install, or update apps will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net

1
windows/application-management/TOC.md
View File

@ -5,7 +5,6 @@
## [Understand apps in Windows 10](apps-in-windows-10.md)
## [Add apps and features in Windows 10](add-apps-and-features.md)
## [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md)
### [Learn how to repackage win32 apps in the MSIX format](msix-app-packaging-tool-walkthrough.md)
## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
### [Getting Started with App-V](app-v/appv-getting-started.md)
#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)

160
windows/application-management/msix-app-packaging-tool-walkthrough.md
View File

@ -1,160 +0,0 @@
---
title: Learn how to repackage your existing win32 applications to the MSIX format. This walkthrough provides in-depth detail on how the MSIX app packaging tool can be used.
description: Learn how to use the MSIX packaging tool with this in-depth walkthrough.
keywords: ["MSIX", "application", "app", "win32", "packaging tool"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
ms.date: 08/027/2018
---
# MSIX Packaging tool walkthrough
Learn how to repackage your legacy win32 application installers to MSIX, without the need for making code changes to your apps. The MSIX Packaging Tool allows you to modernize your app to take adavantage of Microsoft Store or Microsoft Store for Business to deploy apps on Windows 10 in S mode.
## Terminology
|Term |Definition |
|---------|---------|
|MPT | MSIX Packaging Tool. An enterprise grade tool that allows to package apps in the enterprise easily as MSIX without app code changes. |
|PSF | Package Support Framework. An open source framework to allow the packaging tool and the IT Admin to apply targeted fixes to the app in order to bypass some of the modern environment constrains. Some fixes will be added automatically by the tool and some will be added manually. |
|Modification Package | MSIX package to stores app preferences/settings and add-ins, decoupled from the main package. |
|Installer | Application installer can be an MSI, EXE, App-V , ClickOnce. |
|Project template file | Template file that saves the settings and parameters used for a certain package conversion. Information captured in the template includes general Tooling packaging options, settings in the options menus like exclusion lists, package deployment settings, application install location, package manifest information like Package Family Name, publisher, version and package properties like capabilities and advanced enterprise features. |
## Creating an Application package
![Create a package](images/welcomescreen.png)
When the tool is first launched, you will be prompted to provide consent to sending telemtry data. It's important to note that the diagnostic data you share only comes from the app and is never used to identify or contact you. This just helps us fix things faster for you.
![creating an application package](images/Selectinstaller.png)
Creating an Application package is the most commonly used option. This is where you will create an MSIX package from an installer, or by manual installation of application payload.
- If an installer is being used, browse to and select the desired application installer and click **Next**.
- This field accepts a valid existing file path.
- The field can be empty if you are manually packaging.
- If there is no installer (manual packaging) click **Next**.
*Optionally*
- Check the box under "Use Existing MSIX Package", browse, and select an existing MSIX package you'd like to update.
- Check the box under "Use installer Preferences" and enter the desired argument in the provided field. This field accepts any string.
### Packaging method
![selecting the package environment](images/selectenvironmentthiscomputer.png)
- Select the packaging environment by selecting one of the radio buttons:
- "Create package on an existing virtual machine" if you plan to do the package creation on a VM. Click **Next**. (You will be presented with user and password fields to provide credentials for the VM if there are any).
- "Create package on this computer" if you plan to package the application on the current machine where the tool is installed. Click **Next**.
### Create package on this computer
![Create a package on this computer](images/packageinfo.png)
You've selected to package your application on the current machine where the tool is installed. Nice job! Provide the information pertaining to the app. The tool will try to auto-fill these fields based on the information available from the installer. You will always have a choice to update the entries as needed. If the field as an asterisk*, it's required, but you already knew that. Inline help is provided if the entry is not valid.
- Package name:
- Required and corresponds to package identity Name in the manifest to describe the contents of the package.
- Must match the Name subject information of the certificate used to sign a package.
- Is not shown to the end user.
- Is case-sensitive and cannot have a space.
- Can accept string between 3 and 50 characters in length that consists of alpha-numeric, period, and dash characters.
- Cannot end with a period and be one of these: "CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", and "LPT9."
- Package display name:
- Required and corresponds to package <DisplayName> in the manifest to display a friendly package name to the user, in start menu and settings pages.
- Field accepts A string between 1 and 256 characters in length and is localizable.
- Publisher name
- Required and corresponds to package <Publisher Name> that describes the publisher information.
- The Publisher attribute must match the publisher subject information of the certificate used to sign a package.
- This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*".
- Publisher display name
- Reuqired and corresponds to package <PublisherDisplayName> in the manifest to display a friendly publisher name to the user, in App installer and settings pages.
- Field accepts A string between 1 and 256 characters in length and is localizable.
- Version
- Required and corresponds to package <Identity Version> in the manifest to describe the The version number of the package.
- This field accepts a version string in quad notation, "Major.Minor.Build.Revision".
- Install location
- This is the location that the installer is going to copy the application payload to (usually Programs Files folder).
- This field is optional but recommended.
- Browse to and select a folder path.
- Make sure this filed matches Installers Install location while you go through the application install operation.
### Prepare computer
![prepare your computer](images/preparecomputer.png)
- You are provided with options to prepare the computer for packaging.
- MSIX Packaging Tool Driver is required and the tool will automatically try to enable it if it is not enabled.
> [!NOTE]
> MSIX Packaging tool driver monitors the system to capture the changes that an installer is making on the system which allows MSIX Packaging Tool to create a package based on those changes.
- The tool will first check with DISM to see if the driver is installed.
- [Optional] Check the box for “Windows Search is Active” and select “disable selected” if you choose to disable the search service.
- This is not required, only recommended.
- Once disabled, the tool will update the status field to “disabled”
- [Optional] Check the box for “Windows Update is Active” and select “disable selected” if you choose to disable the Update service.
- This is not required, only recommended.
- Once disabled, the tool will update the status field to “disabled”
- “Pending reboot” checkbox is disabled by default. You'll need to manually restart the machine and then launch the tool again if you are prompted that pending operations need a reboot.
- This not required, only recommended.
When you're done preparing the machine, click **Next**.
### Installation
![Installation phase for capturing the install operations](images/installation.png)
- This is installation phase where the tool is monitoring and capturing the application install operations.
- If you've provided an installer, the tool will launch the installer and you'll need to go through the installer wizard to install the application.
- Make sure the installation path matches what was defined earlier in the package information page.
- You'll need to create a shortcut in desktop for the newly installed application.
- Once you're done with the application installation wizard, make sure you finish or close on the installation wizard.
- If you need to run multiple installers you can do that manually at this point.
- If the app needs other pre-reqs, you need to install them now.
- If the application needs .Net 3.5/20, add the optional feature to Windows.
- If installer was not provided, manually copy the application binaries to the install location that you've defined earlier in package information.
- When you've completed installing the application, click **Next**.
### Manage first launch tasks
![Managing first launch tasks](images/managefirstlaunchtasks.png)
- This page shows application executables that the tool captured.
- We recommended launching the application at least once to capture any first launch tasks.
- If there are multiple applications, check the box that corresponds to the main entry point.
- If you don't see the application .exe here, manually browse to and run it.
- Click **Next**
![pop up asking for confirmation you are done monitoring](images/donemonitoring..png)
You'll be prompted with a pop up asking for confirmation that you're finished with application installation and managing first launch tasks.
- If you're done, click **Yes, move on**.
- If you're not done, click **No, I'm not done**. You'll be taken back to the last page to where you can launch applications, install or copy other files, and dlls/executables.
### Package support report
![Package support, runtime fixes that might be appliciable to the app](images/packagesupport.png)
- Here you'll have a chance to add PSF runtime fixes that might be applicable to the application. *(not supported in preview)*
- The tool will make some suggestions and apply fixes that it thinks are applicable.
- You'll have the opportunity to add, remove or edit PSF runtime fixes
- You can see a list of PSFs provided by the community from Github.
- You'll also see a packaging report on this page. The report will call out noteworthy items for example:
- If certain restricted capabilities like allowElevation is added
- If certain files were excluded from the package.
- Etc
Once done, click **Next**.
## Create package
![Creating the new package](images/createpackage.png)
- Provide a location to save the MSIX package.
- By default, packages are saved in local app data folder.
- You can define the default save location in Settings menu.
- If you'd like to continue to edit the content and properties of the package before saving the MSIX package, you can select “Package editor” and be taken to package editor.
- If you prefer to sign the package with a pre-made certificate for testing, browse to and select the certificate.
- Click **Create** to create the MSIX package.
You'll be presented with the pop up when the package is created. This pop up will include the name, publisher, and save location of the newly created package. You can close this pop up and get redirected to the welcome page. You can also select package editor to see and modify the package content and properties.

17
windows/client-management/mandatory-user-profile.md
View File

@ -61,22 +61,11 @@ First, you create a default user profile with the customizations that you want,
3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on users profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications:
- Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
- Microsoft.BingWeather_8wekyb3d8bbwe
- Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
- Microsoft.Getstarted_8wekyb3d8bbwe
- Microsoft.Windows.Photos_8wekyb3d8bbwe
- Microsoft.WindowsCamera_8wekyb3d8bbwe
- Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
- Microsoft.WindowsStore_8wekyb3d8bbwe
- Microsoft.XboxApp_8wekyb3d8bbwe
- Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
- Microsoft.ZuneMusic_8wekyb3d8bbwe
3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
>[!NOTE]
>Uninstalling these apps will decrease sign-in time. If your deployment needs any of these apps, you can leave them installed.
>It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
3. At a command prompt, type the following command and press **ENTER**.

2
windows/client-management/mdm/accounts-ddf-file.md
View File

@ -68,7 +68,7 @@ The XML below is for Windows 10, version 1803.
<AccessType>
<Add />
</AccessType>
<Description>This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:&lt;# of digits&gt;% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
<Description>This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:&lt;# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
<DFFormat>
<chr />
</DFFormat>

2
windows/client-management/mdm/activesync-csp.md
View File

@ -89,7 +89,7 @@ Required. A character string that specifies the location of the icon associated
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings &gt; email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**
Required. A character string that specifies the account type.

992
windows/client-management/mdm/applocker-csp.md
View File

File diff suppressed because it is too large Load Diff

4
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -106,7 +106,7 @@ ms.date: 06/26/2017
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
<Data><enabled/></Data>
</Item>
</Replace>
```
@ -126,7 +126,7 @@ ms.date: 06/26/2017
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
<Data><enabled/></Data>
</Item>
</Replace>
```

4
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -60,7 +60,7 @@ In the out-of-the-box scenario, the web view is 100% full screen, which gives th
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** &gt; **Accounts** &gt; **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
@ -122,7 +122,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name&gt;/ContosoMDM**, then click OK.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.

2
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -33,7 +33,7 @@ The following diagram shows the BrowserFavorite configuration service provider i
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " &lt; &gt; |
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
 

2
windows/client-management/mdm/certificate-authentication-device-enrollment.md
View File

@ -187,7 +187,7 @@ The following snippet shows the policy web service response.
```
HTTP/1.1 200 OK
Date: Fri, 03 Aug 2012 20:00:00 GMT
Server: <sever name here>
Server: <server name here>
Content-Type: application/soap+xml
Content-Length: xxxx

4
windows/client-management/mdm/certificatestore-csp.md
View File

@ -194,7 +194,7 @@ Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 ce
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectalternativenames"></a>**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *&lt;nameformat1&gt;*+*&lt;actual name1&gt;*;*&lt;name format 2&gt;*+*&lt;actual name2&gt;*. Value type is chr.
Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *<nameformat1>*+*<actual name1>*;*<name format 2>*+*<actual name2>*. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
@ -299,7 +299,7 @@ For ROBO renewal failure, the client retries the renewal periodically until the
For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
The default value is 7 and the valid values are 1 1000 AND =&lt; RenewalPeriod, otherwise it will result in errors. Value type is an integer.
The default value is 7 and the valid values are 1 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.

2
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -90,7 +90,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
<p style="margin-left: 20px">The data type is int. Valid values:

2
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -626,7 +626,7 @@ Supported operations are Get, Add, Delete noreplace</Description>
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
<Description>Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace.</Description>
<DFFormat>
<int />

4
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -32,7 +32,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location:
- Applications and Services Logs &gt; Microsoft &gt; Windows &gt; DeviceManagement-Enterprise-Diagnostic-Provider
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
Here's a screenshot:
@ -138,7 +138,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
![field medic screenshot](images/diagnose-mdm-failures5.png)
7. Save the logs. They will be stored in the Field Medic log location on the device.
8. You can send the logs via email by attaching the files from **Documents &gt; Field Medic &gt; Reports &gt; ...** folder.
8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png)

2
windows/client-management/mdm/eap-configuration.md
View File

@ -124,7 +124,7 @@ A production ready deployment must have the appropriate certificate details as p
EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>

2
windows/client-management/mdm/email2-csp.md
View File

@ -302,7 +302,7 @@ Value is one of the following:
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the &lt;LocURI&gt;&lt;/LocURI&gt; block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.

4
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -70,7 +70,7 @@ Summary of steps to enable a policy:
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
</Target>
<Data>&lt;Enabled/&gt;</Data>
<Data><Enabled/></Data>
</Item>
</Replace>
<Final/>
@ -270,7 +270,7 @@ The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualiza
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
<Final/>

14
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -40,7 +40,7 @@ Supported operations are Add, Delete, Get and Replace.
The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
> [!Important]   
> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \&lt; instead of &lt; because it is embedded in an XML. The examples provided in the topic are formatted for readability.
> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
@ -51,8 +51,8 @@ ActionCenter | Example: `<ActionCenter enabled="true"></ActionCenter>`
ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)
ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>`
ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>`
StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx. **Large** - sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.
StartScreenSize | If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).
Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>`
Application | <img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
@ -105,7 +105,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.m
Entry | Description
----------- | ------------
Folder | A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
Folder example:
``` syntax
@ -403,7 +403,7 @@ The Search and custom buttons can be <em>remapped</em> or configured to open a s
>
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.
To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.
``` syntax
<ButtonRemapList>
@ -1199,7 +1199,7 @@ The following example shows how to add a new policy.
  <characteristic type="EnterpriseAssignedAccess">
    <characteristic type="AssignedAccess">
      <parm name=" AssignedAccessXml" datatype="string"
            value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;0&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Search&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;"/>
            value="<?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="0"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Camera"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Search"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button><Button name="Camera"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><ButtonLockdownList><Button name="Start"><ButtonEvent name="Press" /><ButtonEvent name="PressAndHold" /></Button></ButtonLockdownList><ButtonRemapList/></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown>"/>
    </characteristic>
  </characteristic>
</wap-provisioningdoc>
@ -1237,7 +1237,7 @@ The following example shows how to lock down a device.
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml</LocURI>
</Target>
<Data>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;2&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;Button name=&quot;Search&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;</Data>
<Data><?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown></Data>
</Item>
</Add>
<Final/>

2
windows/client-management/mdm/enterpriseassignedaccess-xsd.md
View File

@ -13,7 +13,7 @@ ms.date: 06/26/2017
# EnterpriseAssignedAccess XSD
This XSD can be used to validate that the lockdown XML in the &lt;Data&gt; block of the AssignedAccessXML node.
This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
``` syntax
<?xml version="1.0" encoding="utf-16LE" ?>

2
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -60,7 +60,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
<p style="margin-left: 20px">Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).

2
windows/client-management/mdm/enterpriseext-csp.md
View File

@ -32,7 +32,7 @@ The root node for the EnterpriseExt configuration service provider. Supported op
Node for setting the custom device ID and string.
<a href="" id="devicecustomdata-customid"></a>**DeviceCustomData/CustomID**
Any string value as the device ID. This value appears in **Settings** &gt; **About** &gt; **Info**.
Any string value as the device ID. This value appears in **Settings** > **About** > **Info**.
Here's an example for getting custom data.

2
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -593,7 +593,7 @@ Query the device for a specific app subcategory, such as nonStore apps.
</Get>
```
The result contains a list of apps, such as &lt;Data&gt;App1/App2/App3&lt;/Data&gt;.
The result contains a list of apps, such as \<Data>App1/App2/App\</Data\>.
Subsequent query for a specific app for its properties.

2
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -123,7 +123,7 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token:
- Login Authority = https:<span></span>//login.windows.net/&lt;TargetTenantId&gt;
- Login Authority = https:<span></span>//login.windows.net/\<TargetTenantId\>
- Resource/audience\* = https:<span></span>//onestore.microsoft.com
- ClientId = your AAD application client id
- ClientSecret = your AAD application client secret/key

2
windows/client-management/mdm/nodecache-csp.md
View File

@ -334,7 +334,7 @@ A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/Expect
A Get operation on the ChangedNodesData returns an encoded XML. Here is example:
```syntax
&lt;Nodes&gt;&lt;Node Id=&quot;10&quot; Uri=&quot;&quot;&gt;&lt;/Node&gt;&lt;Node Id=&quot;20&quot; Uri=&quot;./DevDetail/Ext/Microsoft/DeviceName&quot;&gt;U09NRU5FV1ZBTFVF&lt;/Node&gt;&lt;/Nodes&gt;
<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes>
```
It represents this:

16
windows/client-management/mdm/policy-ddf-file.md
View File

@ -1420,12 +1420,12 @@ Related policy:
If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
<support.contoso.com><support.microsoft.com>
If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
Version 1703 or later:
If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
Version 1809:
If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@ -10603,12 +10603,12 @@ Related policy:
If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
<support.contoso.com><support.microsoft.com>
If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
Version 1703 or later:
If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
Version 1809:
If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@ -22414,12 +22414,12 @@ Related policy:
If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
<support.contoso.com><support.microsoft.com>
If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
Version 1703 or later:
If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
Version 1809:
If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
@ -49724,12 +49724,12 @@ Related policy:
If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;
<support.contoso.com><support.microsoft.com>
If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
Version 1703 or later:
If you do not want to send traffic to Microsoft, enable this policy and use the &lt;about&#58;blank&gt; value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
Version 1809:
If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.

20
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -176,7 +176,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
<Final/>
@ -340,7 +340,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList</LocURI>
</Target>
<Data>&lt;enabled/&gt;&lt;data id=&quot;Virtualization_JITVAllowList_Prompt&quot; value=&quot;C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe&quot;/&gt;</Data>
<Data><enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe"/></Data>
</Item>
</Replace>
<Final/>
@ -384,7 +384,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
<Target>
<LocURI>./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange</LocURI>
</Target>
<Data>&lt;Enabled/&gt;&lt;Data id=&quot;SecondaryHomePagesList&quot; value=&quot;http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2&quot;/&gt;</Data>
<Data><Enabled/><Data id="SecondaryHomePagesList" value="http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2"/></Data>
</Item>
</Replace>
<Final/>
@ -416,7 +416,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck</LocURI>
</Target>
<Data>&lt;Enabled/&gt;</Data>
<Data><Enabled/></Data>
</Item>
</Replace>
<Final/>
@ -470,8 +470,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
<LocURI>./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
<enabled/>
<data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
</Data>
</Item>
</Replace>
@ -507,8 +507,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;Streaming_Reestablishment_Interval_Prompt&quot; value=&quot;4&quot;/&gt;
<enabled/>
<data id="Streaming_Reestablishment_Interval_Prompt" value="4"/>
</Data>
</Item>
</Replace>
@ -560,8 +560,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
<LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</LocURI>
</Target>
<Data>
&lt;enabled/&gt;&lt;data id=&quot;DeviceInstall_Classes_Deny_Retroactive&quot; value=&quot;true&quot;/&gt;
&lt;Data id=&quot;DeviceInstall_Classes_Deny_List&quot; value=&quot;1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2&quot;/&gt;
<enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
<Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2"/>
</Data>
</Item>
</Replace>

72
windows/client-management/mdm/vpnv2-csp.md
View File

@ -603,41 +603,41 @@ Profile example
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
</Target>
<Data>&lt;VPNProfile&gt;
&lt;ProfileName&gt;VPN_Demo&lt;/ProfileName&gt;
&lt;NativeProfile&gt;
&lt;Servers&gt;VPNServer.contoso.com&lt;/Servers&gt;
&lt;NativeProtocolType&gt;Automatic&lt;/NativeProtocolType&gt;
&lt;Authentication&gt;
&lt;UserMethod&gt;Eap&lt;/UserMethod&gt;
&lt;Eap&gt;
&lt;Configuration&gt;
&lt;EapHostConfig xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;EapMethod&gt; &lt;Type xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt; &lt;VendorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt; &lt;VendorType xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt; &lt;AuthorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt; &lt;/EapMethod&gt; &lt;Config xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;25&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;FastReconnect&gt;true&lt;/FastReconnect&gt; &lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt; &lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt; &lt;Type&gt;13&lt;/Type&gt; &lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1&quot;&gt; &lt;CredentialsSource&gt; &lt;CertificateStore&gt; &lt;SimpleCertSelection&gt;false&lt;/SimpleCertSelection&gt; &lt;/CertificateStore&gt; &lt;/CredentialsSource&gt; &lt;ServerValidation&gt; &lt;DisableUserPromptForServerValidation&gt;false&lt;/DisableUserPromptForServerValidation&gt; &lt;ServerNames&gt;&lt;/ServerNames&gt; &lt;/ServerValidation&gt; &lt;DifferentUsername&gt;false&lt;/DifferentUsername&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;TLSExtensions xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2&quot;&gt; &lt;FilteringInfo xmlns=&quot;http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3&quot;&gt; &lt;EKUMapping&gt; &lt;EKUMap&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;EKUOID&gt;1.3.6.1.4.1.311.87&lt;/EKUOID&gt; &lt;/EKUMap&gt; &lt;/EKUMapping&gt; &lt;ClientAuthEKUList Enabled=&quot;true&quot;&gt; &lt;EKUMapInList&gt; &lt;EKUName&gt;Unknown Key Usage&lt;/EKUName&gt; &lt;/EKUMapInList&gt; &lt;/ClientAuthEKUList&gt; &lt;/FilteringInfo&gt; &lt;/TLSExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt; &lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt; &lt;PeapExtensions&gt; &lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt; &lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt; &lt;/PeapExtensions&gt; &lt;/EapType&gt; &lt;/Eap&gt; &lt;/Config&gt; &lt;/EapHostConfig&gt;
&lt;/Configuration&gt;
&lt;/Eap&gt;
&lt;/Authentication&gt;
&lt;RoutingPolicyType&gt;SplitTunnel&lt;/RoutingPolicyType&gt;
&lt;/NativeProfile&gt;
&lt;DomainNameInformation&gt;
&lt;DomainName&gt;.contoso.com&lt;/DomainName&gt;
&lt;DNSServers&gt;10.5.5.5&lt;/DNSServers&gt;
&lt;/DomainNameInformation&gt;
&lt;TrafficFilter&gt;
&lt;App&gt;%ProgramFiles%\Internet Explorer\iexplore.exe&lt;/App&gt;
&lt;/TrafficFilter&gt;
&lt;TrafficFilter&gt;
&lt;App&gt;Microsoft.MicrosoftEdge_8wekyb3d8bbwe&lt;/App&gt;
&lt;/TrafficFilter&gt;
&lt;Route&gt;
&lt;Address&gt;10.0.0.0&lt;/Address&gt;
&lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
&lt;/Route&gt;
&lt;Route&gt;
&lt;Address&gt;25.0.0.0&lt;/Address&gt;
&lt;PrefixSize&gt;8&lt;/PrefixSize&gt;
&lt;/Route&gt;
&lt;RememberCredentials&gt;true&lt;/RememberCredentials&gt;
&lt;/VPNProfile&gt;</Data>
<Data><VPNProfile>
<ProfileName>VPN_Demo</ProfileName>
<NativeProfile>
<Servers>VPNServer.contoso.com</Servers>
<NativeProtocolType>Automatic</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<DomainNameInformation>
<DomainName>.contoso.com</DomainName>
<DNSServers>10.5.5.5</DNSServers>
</DomainNameInformation>
<TrafficFilter>
<App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
</TrafficFilter>
<TrafficFilter>
<App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>
</TrafficFilter>
<Route>
<Address>10.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<Route>
<Address>25.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<RememberCredentials>true</RememberCredentials>
</VPNProfile></Data>
</Item>
</Add>
@ -1166,7 +1166,7 @@ PluginPackageFamilyName
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
</Target>
<Data>&lt;pluginschema&gt;&lt;ipAddress&gt;auto&lt;/ipAddress&gt;&lt;port&gt;443&lt;/port&gt;&lt;networksettings&gt;&lt;routes&gt;&lt;includev4&gt;&lt;route&gt;&lt;address&gt;172.10.10.0&lt;/address&gt;&lt;prefix&gt;24&lt;/prefix&gt;&lt;/route&gt;&lt;/includev4&gt;&lt;/routes&gt;&lt;namespaces&gt;&lt;namespace&gt;&lt;space&gt;.vpnbackend.com&lt;/space&gt;&lt;dnsservers&gt;&lt;server&gt;172.10.10.11&lt;/server&gt;&lt;/dnsservers&gt;&lt;/namespace&gt;&lt;/namespaces&gt;&lt;/networksettings&gt;&lt;/pluginschema&gt;</Data>
<Data><pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema></Data>
</Item>
</Add>
```

2
windows/client-management/mdm/vpnv2-profile-xsd.md
View File

@ -347,7 +347,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
<PluginProfile>
<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
<CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
<CustomConfiguration><pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema></CustomConfiguration>
</PluginProfile>
<Route>
<Address>192.168.0.0</Address>

10
windows/client-management/mdm/wifi-csp.md
View File

@ -23,7 +23,7 @@ Programming considerations:
- Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator.
- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
- The &lt;name&gt;*name\_goes\_here*&lt;/name&gt;&lt;SSIDConfig&gt; must match &lt;SSID&gt;&lt;name&gt; *name\_goes\_here*&lt;/name&gt;&lt;/SSID&gt;.
- The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>.
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
@ -41,10 +41,10 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is
Supported operation is Get.
<a href="" id="-ssid-"></a>***&lt;SSID&gt;***
<a href="" id="-ssid-"></a>***<SSID>***
Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted.
SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, &lt;LocURI&gt;./Vendor/MSFT/WiFi/Profile/&lt;*MUST BE NAME OF PROFILE AS PER WIFI XML*&gt;/WlanXml&lt;/LocURI&gt;.
SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>.
The supported operations are Add, Get, Delete, and Replace.
@ -130,7 +130,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;?xml version=&quot;1.0&quot;?&gt;&lt;WLANProfile xmlns=&quot;http://contoso.com/networking/WLAN/profile/v1&quot;&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;SSIDConfig&gt;&lt;SSID&gt;&lt;hex&gt;412D4D534654574C414E&lt;/hex&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;/SSID&gt;&lt;nonBroadcast&gt;false&lt;/nonBroadcast&gt;&lt;/SSIDConfig&gt;&lt;connectionType&gt;ESS&lt;/connectionType&gt;&lt;connectionMode&gt;manual&lt;/connectionMode&gt;&lt;MSM&gt;&lt;security&gt;&lt;authEncryption&gt;&lt;authentication&gt;WPA2&lt;/authentication&gt;&lt;encryption&gt;AES&lt;/encryption&gt;&lt;useOneX&gt;true&lt;/useOneX&gt;&lt;/authEncryption&gt;&lt;OneX xmlns=&quot;http://contoso.com/networking/OneX/v1&quot;&gt;&lt;authMode&gt;user&lt;/authMode&gt;&lt;EAPConfig&gt;&lt;EapHostConfig xmlns=&quot;http://contoso.com/provisioning/EapHostConfig&quot;&gt;&lt;EapMethod&gt;&lt;Type xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt;&lt;VendorId xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns=&quot;http://contoso.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns=&quot;http://contoso.com/provisioning/EapHostConfig&quot;&gt;&lt;Eap xmlns=&quot;http://contoso.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;25&lt;/Type&gt;&lt;EapType xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt;&lt;ServerValidation&gt;&lt;DisableUserPromptForServerValidation&gt;true&lt;/DisableUserPromptForServerValidation&gt;&lt;ServerNames&gt;&lt;/ServerNames&gt;&lt;/ServerValidation&gt;&lt;FastReconnect&gt;true&lt;/FastReconnect&gt;&lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt;&lt;Eap xmlns=&quot;http://contoso.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;26&lt;/Type&gt;&lt;EapType xmlns=&quot;http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1&quot;&gt;&lt;UseWinLogonCredentials&gt;false&lt;/UseWinLogonCredentials&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt;&lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt;&lt;PeapExtensions&gt;&lt;PerformServerValidation xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/PerformServerValidation&gt;&lt;AcceptServerName xmlns=&quot;http://contoso.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt;&lt;/PeapExtensions&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/EAPConfig&gt;&lt;/OneX&gt;&lt;/security&gt;&lt;/MSM&gt;&lt;/WLANProfile&gt; </Data>
<Data><?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
</Item>
</Add>
<Add>
@ -215,7 +215,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID MyNetw
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;?xml version=&quot;1.0&quot;?&gt;&lt;WLANProfile xmlns=&quot;http://www.microsoft.com/networking/WLAN/profile/v1&quot;&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;SSIDConfig&gt;&lt;SSID&gt;&lt;name&gt;MyNetwork&lt;/name&gt;&lt;/SSID&gt;&lt;nonBroadcast&gt;false&lt;/nonBroadcast&gt;&lt;/SSIDConfig&gt;&lt;connectionType&gt;ESS&lt;/connectionType&gt;&lt;connectionMode&gt;manual&lt;/connectionMode&gt;&lt;MSM&gt;&lt;security&gt;&lt;authEncryption&gt;&lt;authentication&gt;WPA2&lt;/authentication&gt;&lt;encryption&gt;AES&lt;/encryption&gt;&lt;useOneX&gt;true&lt;/useOneX&gt;&lt;/authEncryption&gt;&lt;OneX xmlns=&quot;http://www.microsoft.com/networking/OneX/v1&quot;&gt;&lt;authMode&gt;user&lt;/authMode&gt;&lt;EAPConfig&gt;&lt;EapHostConfig xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt;&lt;EapMethod&gt;&lt;Type xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;25&lt;/Type&gt;&lt;VendorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns=&quot;http://www.microsoft.com/provisioning/EapCommon&quot;&gt;0&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns=&quot;http://www.microsoft.com/provisioning/EapHostConfig&quot;&gt;&lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;25&lt;/Type&gt;&lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1&quot;&gt;&lt;ServerValidation&gt;&lt;DisableUserPromptForServerValidation&gt;true&lt;/DisableUserPromptForServerValidation&gt;&lt;ServerNames&gt;&lt;/ServerNames&gt;&lt;TrustedRootCA&gt; InsertCertThumbPrintHere &lt;/TrustedRootCA&gt;&lt;/ServerValidation&gt;&lt;FastReconnect&gt;true&lt;/FastReconnect&gt;&lt;InnerEapOptional&gt;false&lt;/InnerEapOptional&gt;&lt;Eap xmlns=&quot;http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1&quot;&gt;&lt;Type&gt;26&lt;/Type&gt;&lt;EapType xmlns=&quot;http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1&quot;&gt;&lt;UseWinLogonCredentials&gt;false&lt;/UseWinLogonCredentials&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;EnableQuarantineChecks&gt;false&lt;/EnableQuarantineChecks&gt;&lt;RequireCryptoBinding&gt;false&lt;/RequireCryptoBinding&gt;&lt;PeapExtensions&gt;&lt;PerformServerValidation xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;true&lt;/PerformServerValidation&gt;&lt;AcceptServerName xmlns=&quot;http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2&quot;&gt;false&lt;/AcceptServerName&gt;&lt;/PeapExtensions&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/EAPConfig&gt;&lt;/OneX&gt;&lt;/security&gt;&lt;/MSM&gt;&lt;/WLANProfile&gt; </Data>
<Data><?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
</Item>
</Add>
</Atomic>

264
windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
View File

@ -205,136 +205,136 @@ The following example shows an ADMX file in SyncML format:
<Target>
<LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
</Target>
<Data>&lt;policyDefinitions revision=&quot;1.0&quot; schemaVersion=&quot;1.0&quot;&gt;
&lt;categories&gt;
&lt;category name=&quot;ParentCategoryArea&quot;/&gt;
&lt;category name=&quot;Category1&quot;&gt;
&lt;parentCategory ref=&quot;ParentCategoryArea&quot; /&gt;
&lt;/category&gt;
&lt;category name=&quot;Category2&quot;&gt;
&lt;parentCategory ref=&quot;ParentCategoryArea&quot; /&gt;
&lt;/category&gt;
&lt;category name=&quot;Category3&quot;&gt;
&lt;parentCategory ref=&quot;Category2&quot; /&gt;
&lt;/category&gt;
&lt;/categories&gt;
&lt;policies&gt;
&lt;policy name=&quot;L_PolicyConfigurationMode&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyConfigurationMode)&quot; explainText=&quot;$(string.L_ExplainText_ConfigurationMode)&quot; presentation=&quot;$(presentation.L_PolicyConfigurationMode)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;configurationmode&quot;&gt;
&lt;parentCategory ref=&quot;Category1&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;enabledValue&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/enabledValue&gt;
&lt;disabledValue&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/disabledValue&gt;
&lt;elements&gt;
&lt;text id=&quot;L_ServerAddressInternal_VALUE&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;serveraddressinternal&quot; required=&quot;true&quot; /&gt;
&lt;text id=&quot;L_ServerAddressExternal_VALUE&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;serveraddressexternal&quot; required=&quot;true&quot; /&gt;
&lt;/elements&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicyEnableSIPHighSecurityMode&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyEnableSIPHighSecurityMode)&quot; explainText=&quot;$(string.L_ExplainText_EnableSIPHighSecurityMode)&quot; presentation=&quot;$(presentation.L_PolicyEnableSIPHighSecurityMode)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;enablesiphighsecuritymode&quot;&gt;
&lt;parentCategory ref=&quot;Category1&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;enabledValue&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/enabledValue&gt;
&lt;disabledValue&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/disabledValue&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicySipCompression&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicySipCompression)&quot; explainText=&quot;$(string.L_ExplainText_SipCompression)&quot; presentation=&quot;$(presentation.L_PolicySipCompression)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
&lt;parentCategory ref=&quot;Category1&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;elements&gt;
&lt;enum id=&quot;L_PolicySipCompression&quot; valueName=&quot;sipcompression&quot;&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal0)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal1)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal2)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;2&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal3)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;3&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;/enum&gt;
&lt;/elements&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicyPreventRun&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyPreventRun)&quot; explainText=&quot;$(string.L_ExplainText_PreventRun)&quot; presentation=&quot;$(presentation.L_PolicyPreventRun)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;preventrun&quot;&gt;
&lt;parentCategory ref=&quot;Category1&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;enabledValue&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/enabledValue&gt;
&lt;disabledValue&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/disabledValue&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicyConfiguredServerCheckValues&quot; class=&quot;Machine&quot; displayName=&quot;$(string.L_PolicyConfiguredServerCheckValues)&quot; explainText=&quot;$(string.L_ExplainText_ConfiguredServerCheckValues)&quot; presentation=&quot;$(presentation.L_PolicyConfiguredServerCheckValues)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
&lt;parentCategory ref=&quot;Category2&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;elements&gt;
&lt;text id=&quot;L_ConfiguredServerCheckValues_VALUE&quot; valueName=&quot;configuredservercheckvalues&quot; required=&quot;true&quot; /&gt;
&lt;/elements&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicySipCompression_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicySipCompression)&quot; explainText=&quot;$(string.L_ExplainText_SipCompression)&quot; presentation=&quot;$(presentation.L_PolicySipCompression_1)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
&lt;parentCategory ref=&quot;Category2&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;elements&gt;
&lt;enum id=&quot;L_PolicySipCompression&quot; valueName=&quot;sipcompression&quot;&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal0)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal1)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal2)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;2&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;item displayName=&quot;$(string.L_SipCompressionVal3)&quot;&gt;
&lt;value&gt;
&lt;decimal value=&quot;3&quot; /&gt;
&lt;/value&gt;
&lt;/item&gt;
&lt;/enum&gt;
&lt;/elements&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicyPreventRun_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicyPreventRun)&quot; explainText=&quot;$(string.L_ExplainText_PreventRun)&quot; presentation=&quot;$(presentation.L_PolicyPreventRun_1)&quot; key=&quot;software\policies\contoso\companyApp&quot; valueName=&quot;preventrun&quot;&gt;
&lt;parentCategory ref=&quot;Category3&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;enabledValue&gt;
&lt;decimal value=&quot;1&quot; /&gt;
&lt;/enabledValue&gt;
&lt;disabledValue&gt;
&lt;decimal value=&quot;0&quot; /&gt;
&lt;/disabledValue&gt;
&lt;/policy&gt;
&lt;policy name=&quot;L_PolicyGalDownloadInitialDelay_1&quot; class=&quot;User&quot; displayName=&quot;$(string.L_PolicyGalDownloadInitialDelay)&quot; explainText=&quot;$(string.L_ExplainText_GalDownloadInitialDelay)&quot; presentation=&quot;$(presentation.L_PolicyGalDownloadInitialDelay_1)&quot; key=&quot;software\policies\contoso\companyApp&quot;&gt;
&lt;parentCategory ref=&quot;Category3&quot; /&gt;
&lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; /&gt;
&lt;elements&gt;
&lt;decimal id=&quot;L_GalDownloadInitialDelay_VALUE&quot; valueName=&quot;galdownloadinitialdelay&quot; minValue=&quot;0&quot; required=&quot;true&quot; /&gt;
&lt;/elements&gt;
&lt;/policy&gt;
&lt;/policies&gt;
&lt;/policyDefinitions&gt;</Data>
<Data><policyDefinitions revision="1.0" schemaVersion="1.0">
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policies>
<policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
<text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
</elements>
</policy>
<policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
</elements>
</policy>
<policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions></Data>
</Item>
</Add>
<Final/>
@ -423,7 +423,7 @@ The following examples describe how to set an ADMX-ingested app policy.
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data>&lt;enabled/&gt;&lt;data id=&quot;L_ServerAddressInternal_VALUE&quot; value=&quot;TextValue1&quot;/&gt;&lt;data id=&quot;L_ServerAddressExternal_VALUE&quot; value=&quot;TextValue2&quot;/&gt;</Data>
<Data><enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/></Data>
</Item>
</Replace>
<Final/>
@ -457,7 +457,7 @@ The following examples describe how to set an ADMX-ingested app policy.
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
<Final/>

2
windows/client-management/reset-a-windows-10-mobile-device.md
View File

@ -65,7 +65,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th
## Reset using the UI
1. On your mobile device, go to **Settings** &gt; **System** &gt; **About** &gt; **Reset your Phone**
1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone**
2. When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if:

BIN
windows/configuration/images/enable-assigned-access-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

96
windows/configuration/kiosk-mdm-bridge.md
View File

@ -32,54 +32,54 @@ $nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
&lt;AllowedApps&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
&lt;/Profile&gt;
&lt;/Profiles&gt;
&lt;Configs&gt;
&lt;Config&gt;
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
"@
Set-CimInstance -CimInstance $obj

3
windows/configuration/multi-app-kiosk-troubleshoot.md
View File

@ -34,6 +34,9 @@ For example:
1. [Verify that the provisioning package is applied successfully](kiosk-validate.md).
2. Verify that the account (config) is mapped to a profile in the configuration XML file.
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
## Apps configured in AllowedList are blocked

7
windows/deployment/TOC.md
View File

@ -218,6 +218,13 @@
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
### [Get started with Windows Update](update/windows-update-overview.md)
#### [How Windows Update works](update/how-windows-update-works.md)
#### [Windows Update log files](update/windows-update-logs.md)
#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md)
#### [Common Windows Update errors](update/windows-update-errors.md)
#### [Windows Update error code reference](update/windows-update-error-reference.md)
#### [Other Windows Update resources](update/windows-update-resources.md)
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)

BIN
windows/deployment/images/UC_00_marketplace_search - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

BIN
windows/deployment/images/UC_00_marketplace_search.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

BIN
windows/deployment/images/UC_01_marketplace_create - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 280 KiB

BIN
windows/deployment/images/UC_01_marketplace_create.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 280 KiB

BIN
windows/deployment/images/UC_02_workspace_create - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

BIN
windows/deployment/images/UC_02_workspace_create.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

BIN
windows/deployment/images/UC_03_workspace_select - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/deployment/images/UC_03_workspace_select.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/deployment/images/UC_tile_assessing - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deployment/images/UC_tile_assessing.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deployment/images/UC_tile_filled - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/deployment/images/UC_tile_filled.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/deployment/images/UC_workspace_DO_status - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/deployment/images/UC_workspace_DO_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/deployment/images/UC_workspace_FU_status - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/deployment/images/UC_workspace_FU_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/deployment/images/UC_workspace_SU_status - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/deployment/images/UC_workspace_SU_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/deployment/images/UC_workspace_WDAV_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/deployment/images/UC_workspace_home.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/deployment/images/UC_workspace_needs_attention - Copy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/deployment/images/UC_workspace_needs_attention.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/deployment/images/UC_workspace_overview_blade - Copy.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/deployment/images/UC_workspace_overview_blade.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

1
windows/deployment/planning/windows-10-1809-removed-features.md
View File

@ -32,7 +32,6 @@ We're removing the following features and functionalities from the installed pro
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).|
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).|
## Features were no longer developing

BIN
windows/deployment/update/images/UC_00_marketplace_search.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

BIN
windows/deployment/update/images/UC_01_marketplace_create.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 280 KiB

BIN
windows/deployment/update/images/UC_02_workspace_create.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

BIN
windows/deployment/update/images/UC_03_workspace_select.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/deployment/update/images/UC_tile_assessing.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deployment/update/images/UC_tile_filled.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/deployment/update/images/UC_workspace_DO_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/deployment/update/images/UC_workspace_FU_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/deployment/update/images/UC_workspace_SU_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/deployment/update/images/UC_workspace_WDAV_status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/deployment/update/images/UC_workspace_needs_attention.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/deployment/update/images/UC_workspace_overview_blade.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

13
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/27/2018
ms.date: 10/04/2018
keywords: oms, operations management suite, optimization, downloads, updates, log analytics
ms.localizationpriority: medium
---
@ -15,9 +15,7 @@ ms.localizationpriority: medium
# Delivery Optimization in Update Compliance
The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
>[!Note]
>Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds.
![DO status](images/UC_workspace_DO_status.png)
## Delivery Optimization Status
@ -27,7 +25,7 @@ The Delivery Optimization Status section includes three blades:
- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category
- The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers).
![DO status](images/uc-DO-status.png)
## Device Configuration blade
@ -46,8 +44,3 @@ The download sources that could be included are:
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates.
## Known Issues
Delivery Optimization is currently in development. The following issues are known:
- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time.

13
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -5,20 +5,20 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 10/18/2017
author: Jaimeo
ms.author: jaimeo
ms.date: 10/04/2018
---
# Feature Update Status
![The Feature Update Status report](images/uc-featureupdatestatus.png)
![The Feature Update Status report](images/UC_workspace_FU_status.png)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels).
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
## Overall Feature Update Status
The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and OS Version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category.
The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category.
## Deployment Status by Servicing Channel
@ -31,4 +31,3 @@ Refer to the following list for what each state means:
* Devices that have failed the given feature update installation are counted as **Update failed**.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update.

95
windows/deployment/update/update-compliance-get-started.md
View File

@ -8,76 +8,65 @@ ms.sitesec: library
ms.pagetype: deploy
author: Jaimeo
ms.author: jaimeo
ms.date: 08/21/2018
ms.date: 10/04/2018
ms.localizationpriority: medium
---
# Get started with Update Compliance
>[!IMPORTANT]
>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organizations devices.
3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled.
1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites).
2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics).
4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization.
## Update Compliance prerequisites
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them.
3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device.
4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-enterprise-faq-itpro).
## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
## Add Update Compliance to your Azure subscription
Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
>[!IMPORTANT]
>Update Compliance is a free solution for Azure subscribers.
> [!NOTE]
> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance.
If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below.
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace.
![Update Compliance marketplace search results](images/UC_00_marketplace_search.png)
3. Select **Update Compliance** and a blade will appear summarizing the solutions offerings. At the bottom, select **Create** to begin adding the solution to Azure.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
![Update Compliance solution creation](images/UC_01_marketplace_create.png)
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
![Operations Management Suite bar with sign-in button](images/uc-02a.png)
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
![OMS Sign-in dialog box for account name and password](images/uc-03a.png)
3. Create a new OMS workspace.
![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png)
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png)
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
![Workspace showing Solutions Gallery](images/uc-08a.png)
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png)
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organizations devices. More information on the Commercial ID is provided below.
![Series of blades showing Connected Sources, Windows Diagnostic Data, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png)
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution.
- If you already have another Windows Analytics solution, you should use the same workspace.
- If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
- Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
- For the resource group setting select **Create new** and use the same name you chose for your new workspace.
- For the location setting, choose the Azure region where you would prefer the data to be stored.
- For the pricing tier select **Free**.
>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
![Update Compliance workspace creation](images/UC_02_workspace_create.png)
5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**.
![Update Compliance workspace selection](images/UC_03_workspace_select.png)
6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**.
![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png)
## Enroll devices in Windows Analytics
Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment:
1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/understand/introduction) or similar).
2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
## Use Update Compliance to monitor Windows Updates
Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md).
After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices.

32
windows/deployment/update/update-compliance-monitor.md
View File

@ -8,51 +8,39 @@ ms.sitesec: library
ms.pagetype: deploy
author: Jaimeo
ms.author: jaimeo
ms.date: 02/09/2018
ms.date: 10/04/2018
ms.localizationpriority: medium
---
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
# Monitor Windows Updates with Update Compliance
## Introduction
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to:
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates.
* View a report of device and update issues related to compliance that need attention.
* See the status of Windows Defender Antivirus signatures and threats.
* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md).
Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
Update Compliance provides the following:
- Dedicated drill-downs for devices that might need attention
- An inventory of devices, including the version of Windows they are running and their update status
- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure
Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal).
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
Click the following link to see a video demonstrating Update Compliance features.
[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4)
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five-step process:
**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.<BR>
**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.<BR>
**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Log Analytics workspace.<BR>
**(4)** Diagnostic data is available in the Update Compliance solution.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.<BR>
These steps are illustrated in following diagram:
![Update Compliance architecture](images/uc-01-wdav.png)
>[!NOTE]
>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).

33
windows/deployment/update/update-compliance-need-attention.md
View File

@ -5,34 +5,39 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 10/13/2017
author: Jaimeo
ms.author: jaimeo
ms.date: 10/04/2018
---
# Need Attention!
# Needs attention!
![Needs attention section](images/UC_workspace_needs_attention.png)
![Need Attention! report](images/uc-needattentionoverview.png)
The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section.
The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
>[!NOTE]
>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up.
>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
The different issues are broken down by Device Issues and Update Issues, which are iterated below:
The different issues are broken down by Device Issues and Update Issues:
## Device Issues
* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10.
* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10.
## Update Issues
* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure.
* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure.
* **Cancelled**: This issue occurs when a user cancels the update process.
* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version.
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days.
Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue.
Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
>[!NOTE]
>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
## List of Queries
The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.

25
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -5,28 +5,25 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 10/13/2017
author: Jaimeo
ms.author: jaimeo
ms.date: 10/04/2018
---
# Security Update Status
![The Security Update Status report](images/uc-securityupdatestatus.png)
![The Security Update Status report](images/UC_workspace_SU_status.png)
The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates.
The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates.
>[!NOTE]
>It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them.
The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given.
The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures.
The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
What follows is a breakdown of the different deployment states reported by devices:
The various deployment states reported by devices are as follows:
* **Installed** devices are devices that have completed installation for the given update.
* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings.
* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using Windows Update for Business Settings.
* Devices that have **Update Issues** have failed to update at some point during the installation process of the given security update or have not seen progress for a period of seven days.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. This is most often devices that have not scanned for an update in some time, or devices not being managed through Windows Update.
The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update.
The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section.

82
windows/deployment/update/update-compliance-using.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 10/13/2017
ms.date: 10/04/2018
ms.localizationpriority: medium
---
@ -18,64 +18,72 @@ In this section you'll learn how to use Update Compliance to monitor your device
Update Compliance:
- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization.
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
- Summarizes Windows Defender Antivirus status for devices that use it.
- Provides detailed deployment data for Windows 10 security, quality, and feature updates.
- Reports when devices have issues related to updates that need attention.
- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
## The Update Compliance tile
After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), youll see this tile:
In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query.
![Update Compliance tile no data](images/UC_tile_assessing.png)
## The Update Compliance Tile
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
After Update Compliance has successfully been added from the solution gallery, youll see this tile:
![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png)
![Update Compliance tile with data](images/UC_tile_filled.png)
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
![Filled Update Compliance Tile](images/uc-filledworkspacetile.png)
## The Update Compliance workspace
The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated.
![Update Compliance workspace view](images/UC_workspace_needs_attention.png)
## The Update Compliance Workspace
When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data.
![Update Compliance workspace view](images/uc-filledworkspaceview.png)
### Overview blade
Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your devices data.
![The Overview blade](images/UC_workspace_overview_blade.png)
### Overview Blade
![The Overview Blade](images/uc-overviewblade.png)
Update Compliances overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on:
* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
Update Compliances overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus.
The blade also provides the time at which your Update Compliance workspace was refreshed.
The blade also provides the time at which your Update Compliance workspace was [refreshed](#data-latency).
Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are:
* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful.
* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment.
* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress.
* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus.
The following is a breakdown of the different sections available in Update Compliance:
* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates.
* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment.
* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed.
* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.
Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data.
## Utilizing Log Analytics
## Update Compliance data latency
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows:
Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance.
Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below.
| Data Type | Refresh Rate | Data Latency |
|--|--|--|
|WaaSUpdateStatus | Once per day |4 hours |
|WaaSInsiderStatus| Once per day |4 hours |
|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
|WDAVStatus|On signature update|24 hours |
|WDAVThreat|On threat detection|24 hours |
|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
|WUDOStatus|Once per day|12 hours |
This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh).
## Using Log Analytics
Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance.
See below for a few topics related to Log Analytics:
* Learn how to effectively execute custom Log Searches by referring to Microsoft Azures excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards).
* [Gain an overview of Log Analytics alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about.
>[!NOTE]
>You can use the Feedback Hub App on Windows 10 devices to [provide feedback about Update Compliance](feedback-hub://?referrer=itProDocs&tabid=2&contextid=797) and other Windows Analytics solutions.
* [Gain an overview of Log Analytics alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
## Related topics

24
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -7,25 +7,29 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 05/17/2018
ms.date: 10/04/2018
---
# Windows Defender AV Status
![The Windows Defender AV Status report](images/uc-windowsdefenderavstatus.png)
![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)
The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection this percentage only considers devices using Windows Defender Antivirus.
>[!NOTE]
>Customers with E5 licenses can monitor the Windows Defender AV status by using the Windows Defender ATP portal. For more information about monitoring devices with this portal, see [Onboard Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection).
>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx).
The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Clicking any of these statuses will navigate you to a Log Search view containing the query.
# Windows Defender AV Status sections
The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
The **Threat Status** blade provides a visualization of, for devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Clicking either of these will navigate to the respective query in Log Search for further investigation.
The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation.
Here are some important terms to consider when utilizing the Windows Defender AV Status section of Update Compliance:
* **Signature out of date** devices are devices with signature older than 14 days.
* **No real-time protection** devices are devices who are using Windows Defender AV but have turned off Real-time protection.
Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance:
* **Signature out of date** devices are devices with a signature older than 14 days.
* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection.
* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days.
* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This can be due to reason like disk full, network error, operation aborted, etc. Manual intervention may be needed from IT team.
* **Not assessed** devices are devices where either a third-party AV solution is used or it has been more than 7 days since the device recently disappeared.
* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team.
* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared.
## Windows Defender data latency
Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days.

13
windows/deployment/update/windows-analytics-azure-portal.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 09/12/2018
ms.date: 10/05/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@ -26,14 +26,21 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and
### Permissions
It's important to understand the difference between Azure Active Directory and an Azure subscription:
**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices.
>[!IMPORTANT]
>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked Azure subscription or Azure resource group.
>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group.
To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png)
If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspaces's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states).
If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states).
When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page.

4
windows/deployment/update/windows-analytics-get-started.md
View File

@ -41,7 +41,7 @@ Microsoft uses a unique commercial ID to map information from user computers to
## Enable data sharing
To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this.
To enable data sharing, configure your proxy server to whitelist the following endpoints. You might need to get approval from your security group to do this.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
@ -53,7 +53,7 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. |
| `https://login.live.com` | This end-point is required by Device Health to ensure data integrity and provides a more reliable device identity for all Windows Analtyics solutions on Windows 10. Those who wish to disable end-user MSA access should do so by applying [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) rather than blocking this end-point. |
| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |

Some files were not shown because too many files have changed in this diff Show More