diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1f8831fdb9..78c7959ac0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,21 @@ "redirect_document_id": true }, { +"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", +"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", +"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md", +"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/surface-hub-administrators-guide.md", "redirect_url": "/itpro/surface-hub/index", "redirect_document_id": true @@ -386,6 +401,11 @@ "redirect_document_id": true }, { +"source_path": "windows/keep-secure/hello-enable-phone-signin.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ "source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md", "redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", "redirect_document_id": true diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000..a2c95fc155 --- /dev/null +++ b/LICENSE @@ -0,0 +1,395 @@ +Attribution 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More_considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution 4.0 International Public License ("Public License"). To the +extent this Public License may be interpreted as a contract, You are +granted the Licensed Rights in consideration of Your acceptance of +these terms and conditions, and the Licensor grants You such rights in +consideration of benefits the Licensor receives from making the +Licensed Material available under these terms and conditions. + + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + d. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + e. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + f. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + g. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + h. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + i. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + j. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + k. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + 4. If You Share Adapted Material You produce, the Adapter's + License You apply must not prevent recipients of the Adapted + Material from complying with this Public License. + + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material; and + + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + + +======================================================================= + +Creative Commons is not a party to its public +licenses. Notwithstanding, Creative Commons may elect to apply one of +its public licenses to material it publishes and in those instances +will be considered the “Licensor.” The text of the Creative Commons +public licenses is dedicated to the public domain under the CC0 Public +Domain Dedication. Except for the limited purpose of indicating that +material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the +public licenses. + +Creative Commons may be contacted at creativecommons.org. \ No newline at end of file diff --git a/LICENSE-CODE b/LICENSE-CODE new file mode 100644 index 0000000000..b17b032a43 --- /dev/null +++ b/LICENSE-CODE @@ -0,0 +1,17 @@ +The MIT License (MIT) +Copyright (c) Microsoft Corporation + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT +NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md index 8864d2a10e..01059ee91d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +## Microsoft Open Source Code of Conduct + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. + # Windows IT professional documentation Welcome! This repository houses the docs that are written for IT professionals for the following products: diff --git a/ThirdPartyNotices b/ThirdPartyNotices new file mode 100644 index 0000000000..a0bd09d68f --- /dev/null +++ b/ThirdPartyNotices @@ -0,0 +1,15 @@ +##Legal Notices +Microsoft and any contributors grant you a license to the Microsoft documentation and other content +in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), +see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the +[LICENSE-CODE](LICENSE-CODE) file. + +Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation +may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. +The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. +Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. + +Privacy information can be found at https://privacy.microsoft.com/en-us/ + +Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, +or trademarks, whether by implication, estoppel or otherwise. \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index b22ded8a4f..207acd7b9a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -60,7 +60,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. ### Allow Developer Tools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. @@ -68,7 +68,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. ### Allow Extensions -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can use Edge Extensions. @@ -77,7 +77,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use Edge Extensions. ### Allow InPrivate browsing -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. @@ -86,7 +86,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use InPrivate website browsing. ### Allow Microsoft Compatibility List -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. @@ -172,7 +172,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. ### Configure Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. @@ -214,7 +214,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. ### Configure Start pages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. @@ -282,7 +282,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. ### Prevent access to the about:flags page -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -291,7 +291,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can access the about:flags page. ### Prevent bypassing Windows Defender SmartScreen prompts for files -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. @@ -300,7 +300,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. ### Prevent bypassing Windows Defender SmartScreen prompts for sites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. @@ -327,7 +327,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. ### Prevent using Localhost IP address for WebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. @@ -362,7 +362,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. ### Show message when opening sites in Internet Explorer -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. @@ -452,7 +452,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **2.** Blocks all cookies from all sites. ### AllowDeveloperTools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -486,7 +486,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Employees can send Do Not Track headers to websites requesting tracking info. ### AllowExtensions -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -537,7 +537,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. ### AllowInPrivate -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -730,7 +730,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. ### Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -752,7 +752,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11. ### FirstRunURL -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Mobile @@ -771,7 +771,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### HomePages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -790,7 +790,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### PreventAccessToAboutFlagsInMicrosoftEdge -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -841,7 +841,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. ### PreventSmartScreenPromptOverride -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -858,7 +858,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Turns on Windows Defender SmartScreen. ### PreventSmartScreenPromptOverrideForFiles -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -875,7 +875,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. ### PreventUsingLocalHostIPAddressForWebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -926,7 +926,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Allows you to configure the default search engine for your employees. ### ShowMessageWhenOpeningInteretExplorerSites -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index f701181fcb..5d807a4e97 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -1,4 +1,6 @@ # [Microsoft Surface Hub](index.md) +## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) +## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) ## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) ### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) ### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) @@ -10,7 +12,7 @@ #### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) #### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) #### [Password management](password-management-for-surface-hub-device-accounts.md) -### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) +### [Create provisioning packages](provisioning-packages-for-surface-hub.md) ### [Admin group management](admin-group-management-for-surface-hub.md) ## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) ### [Setup worksheet](setup-worksheet-surface-hub.md) @@ -28,13 +30,12 @@ #### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) #### [Wireless network management](wireless-network-management-for-surface-hub.md) ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) -### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md) +### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) ### [Using a room control system](use-room-control-system-with-surface-hub.md) -## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) -## [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md) -## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) -## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) +## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) +## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) +## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) ## [Change history for Surface Hub](change-history-surface-hub.md) \ No newline at end of file diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 46348c087d..7ea46504e4 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surfacehub ms.sitesec: library -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett | Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. | | Other options | Defaults selected for **Visual options** and **Touch feedback**. | -Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md): +Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md): - Narrator - Magnifier - High contrast diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 7607199209..2abc8df009 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 76275e3ec8..b04dd91222 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1,5 +1,5 @@ --- -title: Appendix PowerShell (Surface Hub) +title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub . ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 keywords: PowerShell, set up Surface Hub, manage Surface Hub @@ -7,14 +7,14 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- -# Appendix: PowerShell (Surface Hub) +# PowerShell for Surface Hub -PowerShell scripts to help set up and manage your Microsoft Surface Hub . +PowerShell scripts to help set up and manage your Microsoft Surface Hub. - [PowerShell scripts for Surface Hub admins](#scripts-for-admins) - [Create an on-premise account](#create-on-premise-ps-scripts) @@ -43,7 +43,8 @@ What do you need in order to run the scripts? - Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers. - Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers. ->**Note**  Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub. +>[!NOTE] +>Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.   diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index f6cad56654..e49731d001 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 74ee57c2f5..d8d69bb450 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -14,6 +14,10 @@ localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). + ## February 2017 | New or changed topic | Description | diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 6dc6bf7016..2ad7a30571 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 914b6136e6..b6719175f5 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index 9930a748e3..5c6ab373e5 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index f2cb38c5f2..0d070c1ae5 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -49,21 +49,49 @@ If you see a blank screen for long periods of time during the **Reset device** p ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) -3. Click **Recovery**, and then click **Get started**. +3. Click **Recovery**, and then, under **Reset device**, click **Get started**. ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) -## Reset a Surface Hub from Windows Recovery Environment + +## Recover a Surface Hub from the cloud -On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). +In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. -**To reset a Surface Hub from Windows Recovery Environment** +### Recover a Surface Hub in a bad state + +If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. + +1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**. + +2. Under **Recover from the cloud**, click **Restart now**. + + ![recover from the cloud](images/recover-from-the-cloud.png) + +### Recover a locked Surface Hub + +On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). 1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. -2. The device should automatically boot into Windows RE. Select **Advanced Repair**. -3. Select **Reset**. -4. If prompted, enter your device's BitLocker key. +2. The device should automatically boot into Windows RE. +3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) + >[!NOTE] + >When using **Recover from the cloud**, an ethernet connection is recommended. + + ![Recover from the cloud](images/recover-from-cloud.png) + +4. Enter the Bitlocker key (if prompted). +5. When prompted, select **Reinstall**. + ![Reinstall](images/reinstall.png) + +6. Select **Yes** to repartition the disk. + + ![Repartition](images/repartition.png) + +Reset will begin after the image is downloaded from the cloud. You will see progress indicators. + +![downloading 97&](images/recover-progress.png) ## Related topics diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 73557c1f2c..e6d812ea78 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users. > [!NOTE] -> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. +> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**. *Organization policies that this may affect:*
Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub. @@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub: - Pictures - Downloads -Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. +Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. *Organization policies that this may affect:*
Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders. diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index 3e9df023a1..527eaf6198 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md new file mode 100644 index 0000000000..8733038060 --- /dev/null +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -0,0 +1,92 @@ +--- +title: End session - ending a Surface Hub meeting +description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerMS +localizationpriority: medium +--- + +# End a Surface Hub meeting with End session +Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: +- Applications +- Operating system +- User interface + +This topic explains what **End session** resets for each of these states. + +## Applications +When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. + +### Close applications +Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. + +### Delete browser history +Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. + +### Reset applications +**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. + +### Remove Skype logs +Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. + +## Operating System +The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. + +### File System +Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:
+- Music +- Videos +- Documents +- Pictures +- Downloads + +Surface Hub also clears these directories, since many applications often write to them: +- Desktop +- Favorites +- Recent +- Public Documents +- Public Music +- Public Videos +- Public Downloads + +### Credentials +User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**. + +## User interface +User interface (UI) settings are returned to their default values when **End session** is selected. + +### UI items +- Reset Quick Actions to default state +- Clear Toast notifications +- Reset volume levels +- Reset sidebar width +- Reset tablet mode layout +- Sign user out of Office 365 meetings and files + +### Accessibility +Accessibility features and apps are returned to default settings when **End session** is selected. +- Filter keys +- High contrast +- Sticky keys +- Toggle keys +- Mouse keys +- Magnifier +- Narrator + +### Clipboard +The clipboard is cleared to remove data that was copied to the clipboard during the session. + +## Frequently asked questions +**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**
+Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed. + +**Are documents recoverable?**
+Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. + +**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **End session** do not comply with this standard. + diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 6ee36023cc..4e6ceac8b8 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -43,9 +43,10 @@ Each of these sections also contains information about paths you might take when This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device. ->**Note**  This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. +>[!NOTE] +>This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. -  + Select a language and the initial setup options are displayed. ![Image showing ICD options checklist.](images/setuplocale.png) @@ -326,6 +327,9 @@ This is what happens when you choose an option. - **Use Microsoft Azure Active Directory** Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. + + >[!IMPORTANT] + >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. - **Use Active Directory Domain Services** @@ -382,7 +386,7 @@ Once the device has been domain joined, you must specify a security group from t The following input is required: - **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. -- **User name:** The user name of an account that has sufficient permission to join the specified domain. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object. - **Password:** The password for the account. After the credentials are verified, you will be asked to type a security group name. This input is required. diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md deleted file mode 100644 index ccf99db112..0000000000 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: I am done - ending a Surface Hub meeting -description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. -keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# End a Surface Hub meeting with I'm Done -Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: -- Applications -- Operating system -- User interface - -This topic explains what **I'm Done** resets for each of these states. - -## Applications -When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. - -### Close applications -Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. - -### Delete browser history -Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. - -### Reset applications -**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. - -### Remove Skype logs -Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. - -## Operating System -The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. - -### File System -Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
-- Music -- Videos -- Documents -- Pictures -- Downloads - -Surface Hub also clears these directories, since many applications often write to them: -- Desktop -- Favorites -- Recent -- Public Documents -- Public Music -- Public Videos -- Public Downloads - -### Credentials -User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**. - -## User interface -User interface (UI) settings are returned to their default values when **I'm Done** is selected. - -### UI items -- Reset Quick Actions to default state -- Clear Toast notifications -- Reset volume levels -- Reset sidebar width -- Reset tablet mode layout - -### Accessibility -Accessibility features and apps are returned to default settings when **I'm Done** is selected. -- Filter keys -- High contrast -- Sticky keys -- Toggle keys -- Mouse keys -- Magnifier -- Narrator - -### Clipboard -The clipboard is cleared to remove data that was copied to the clipboard during the session. - -## Frequently asked questions -**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
-Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. - -**Are documents recoverable?**
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. - -**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
-No. Currently, the clean-up actions from **I'm Done** do not comply with this standard. - diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg new file mode 100644 index 0000000000..0c615a2ec4 Binary files /dev/null and b/devices/surface-hub/images/OOBE-2.jpg differ diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG new file mode 100644 index 0000000000..66712394ec Binary files /dev/null and b/devices/surface-hub/images/account-management-details.PNG differ diff --git a/devices/surface-hub/images/account-management.PNG b/devices/surface-hub/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/devices/surface-hub/images/account-management.PNG differ diff --git a/devices/surface-hub/images/add-applications-details.PNG b/devices/surface-hub/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/devices/surface-hub/images/add-applications-details.PNG differ diff --git a/devices/surface-hub/images/add-applications.PNG b/devices/surface-hub/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/devices/surface-hub/images/add-applications.PNG differ diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/devices/surface-hub/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/devices/surface-hub/images/add-certificates-details.PNG differ diff --git a/devices/surface-hub/images/add-certificates.PNG b/devices/surface-hub/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/devices/surface-hub/images/add-certificates.PNG differ diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG new file mode 100644 index 0000000000..c7b4db97e6 Binary files /dev/null and b/devices/surface-hub/images/add-config-file-details.PNG differ diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG new file mode 100644 index 0000000000..5b779509d9 Binary files /dev/null and b/devices/surface-hub/images/add-config-file.PNG differ diff --git a/devices/surface-hub/images/apps.png b/devices/surface-hub/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/devices/surface-hub/images/apps.png differ diff --git a/devices/surface-hub/images/developer-setup.PNG b/devices/surface-hub/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/devices/surface-hub/images/developer-setup.PNG differ diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG new file mode 100644 index 0000000000..f3a7fea8da Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm-details.PNG differ diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG new file mode 100644 index 0000000000..b7cfdbc767 Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm.PNG differ diff --git a/devices/surface-hub/images/finish-details.png b/devices/surface-hub/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/devices/surface-hub/images/finish-details.png differ diff --git a/devices/surface-hub/images/finish.PNG b/devices/surface-hub/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/devices/surface-hub/images/finish.PNG differ diff --git a/devices/surface-hub/images/five.png b/devices/surface-hub/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/devices/surface-hub/images/five.png differ diff --git a/devices/surface-hub/images/four.png b/devices/surface-hub/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/devices/surface-hub/images/four.png differ diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png new file mode 100644 index 0000000000..aea2e24c8a Binary files /dev/null and b/devices/surface-hub/images/icd-simple-edit.png differ diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png new file mode 100644 index 0000000000..42b4742c49 Binary files /dev/null and b/devices/surface-hub/images/one.png differ diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png new file mode 100644 index 0000000000..10a2b7de58 Binary files /dev/null and b/devices/surface-hub/images/ppkg-config.png differ diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png new file mode 100644 index 0000000000..0648f555e1 Binary files /dev/null and b/devices/surface-hub/images/ppkg-csv.png differ diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG new file mode 100644 index 0000000000..fcc7b06a41 Binary files /dev/null and b/devices/surface-hub/images/proxy-details.PNG differ diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG new file mode 100644 index 0000000000..cdfc02c454 Binary files /dev/null and b/devices/surface-hub/images/proxy.PNG differ diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png new file mode 100644 index 0000000000..7d409edc5f Binary files /dev/null and b/devices/surface-hub/images/recover-from-cloud.png differ diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png new file mode 100644 index 0000000000..07c1e22851 Binary files /dev/null and b/devices/surface-hub/images/recover-from-the-cloud.png differ diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png new file mode 100644 index 0000000000..316d830a57 Binary files /dev/null and b/devices/surface-hub/images/recover-progress.png differ diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png new file mode 100644 index 0000000000..2f307841aa Binary files /dev/null and b/devices/surface-hub/images/reinstall.png differ diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png new file mode 100644 index 0000000000..26725a8c54 Binary files /dev/null and b/devices/surface-hub/images/repartition.png differ diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG new file mode 100644 index 0000000000..42c04b4b3b Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG new file mode 100644 index 0000000000..e0e037903c Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins.PNG differ diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG new file mode 100644 index 0000000000..be565ac8d9 Binary files /dev/null and b/devices/surface-hub/images/set-up-device-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device.PNG b/devices/surface-hub/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/devices/surface-hub/images/set-up-device.PNG differ diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG new file mode 100644 index 0000000000..7e1391326c Binary files /dev/null and b/devices/surface-hub/images/set-up-network-details.PNG differ diff --git a/devices/surface-hub/images/set-up-network.PNG b/devices/surface-hub/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/devices/surface-hub/images/set-up-network.PNG differ diff --git a/devices/surface-hub/images/sh-55-rpc-ports.png b/devices/surface-hub/images/sh-55-rpc-ports.png index dfea48ef96..7df98f2277 100644 Binary files a/devices/surface-hub/images/sh-55-rpc-ports.png and b/devices/surface-hub/images/sh-55-rpc-ports.png differ diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png index cb072a9793..3003e464b3 100644 Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png index b3e35bb385..f3a9a6dc5c 100644 Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png index a10d4ffb51..59212d1805 100644 Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png index 03125b3419..0134fda740 100644 Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png new file mode 100644 index 0000000000..2816328ec3 Binary files /dev/null and b/devices/surface-hub/images/six.png differ diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png new file mode 100644 index 0000000000..1b9b484ab8 Binary files /dev/null and b/devices/surface-hub/images/surfacehub.png differ diff --git a/devices/surface-hub/images/three.png b/devices/surface-hub/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/devices/surface-hub/images/three.png differ diff --git a/devices/surface-hub/images/two.png b/devices/surface-hub/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/devices/surface-hub/images/two.png differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 22e94d2746..dabf0f1f6e 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -12,19 +12,36 @@ localizationpriority: medium # Microsoft Surface Hub +>[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) + +
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.![image of a Surface Hub](images/surfacehub.png)
+  + +## Surface Hub setup process + +In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: + +1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) +2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md) +2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) +3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) -Documents related to deploying and managing the Microsoft Surface Hub in your organization. ->[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub) ## In this section | Topic | Description | | --- | --- | -| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.| +| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). | | [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. | -| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | +| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. | +| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. | +| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. | +| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | +| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. | +| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | -| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. | +| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. | + diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index d26712627a..dea976e29f 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub, store -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index dea2a514bd..7d17d33c38 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -16,29 +16,38 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc ## Surface Hub settings -Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. +Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs. | Setting | Location | Description | | ------- | -------- | ----------- | -| Device account | This device > Accounts | Set or change the Surface Hub's device account. | -| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | -| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. | -| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | -| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. | -| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. | -| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. | -| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. | -| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | -| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. | -| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. | -| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | -| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. | -| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. | -| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | -| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | -| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. | +| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. | +| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | +| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. | +| Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | +| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). | +| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. | +| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. | +| Open the Windows Store app | Surface Hub > Apps & features | The Windows Store app is only available to admins through the Settings app. | +| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. | +| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. | +| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. | +| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. | +| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. | +| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | +| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. | +| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. | +| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | +| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. | +| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. | +| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. | +| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. | +| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. | +| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | +| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | +| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. | | Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. | | Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. | +| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. | | Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. | | Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md deleted file mode 100644 index db9230f9ad..0000000000 --- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Manage settings with a local admin account (Surface Hub) -description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. -ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679 -redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub -keywords: local admin account, Surface Hub, change local admin options -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 8cadcb7309..c1913c01cc 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -69,9 +69,19 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes.
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set default volume | Properties/DefaultVolume | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set session timeout | Properties/SessionTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Supported Windows 10 settings @@ -87,7 +97,7 @@ The following tables include info on Windows 10 settings that have been validate | Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Browser settings @@ -102,7 +112,7 @@ The following tables include info on Windows 10 settings that have been validate | Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Update settings @@ -115,7 +125,7 @@ The following tables include info on Windows 10 settings that have been validate | Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes| | Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Defender settings @@ -123,7 +133,7 @@ The following tables include info on Windows 10 settings that have been validate | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | | Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Remote reboot @@ -132,7 +142,7 @@ The following tables include info on Windows 10 settings that have been validate | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes | | Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Install certificates @@ -142,7 +152,7 @@ The following tables include info on Windows 10 settings that have been validate -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Collect logs @@ -151,7 +161,7 @@ The following tables include info on Windows 10 settings that have been validate | Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager. @@ -252,7 +262,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window [Manage Microsoft Surface Hub](manage-surface-hub.md) -[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) +   diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index 5413d28a30..ecfbb7c584 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index b464c430f2..95b3b394bd 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -30,7 +30,7 @@ Learn about managing and updating Surface Hub. | [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. | | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.| -| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.| +| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 659e2a6ae5..f54bd79038 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 4b96956704..27f722e175 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 8914899056..7a4a8ed551 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6510d41971..0c25519753 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index c6c3db5d36..851ae60a58 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index 489e6a03a3..3ea7a56b63 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, readiness -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index f5c342d43d..e11e0e6e42 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -27,11 +27,12 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | +| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 - HTTP: 80 +- NTP: 123 Depending on your environment, access to additional ports may be needed: - For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). @@ -49,7 +50,7 @@ Surface Hub interacts with a few different products and services. Depending on t ## Create and verify device account -A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. +A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. - Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md deleted file mode 100644 index 73dd21ac2e..0000000000 --- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -title: Create provisioning packages (Surface Hub) -description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. -ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 -keywords: add certificate, provisioning package -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Create provisioning packages (Surface Hub) - -This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. - -You can apply a provisioning package using a USB during first run, or through the **Settings** app. - - -## Advantages -- Quickly configure devices without using a MDM provider. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages) - - -## Requirements - -To create and apply a provisioning package to a Surface Hub, you'll need the following: - -- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740). -- A PC running Windows 10. -- A USB flash drive. -- If you apply the package using the **Settings** app, you'll need device admin credentials. - -You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. - - -## Supported items for Surface Hub provisioning packages - -Currently, you can add these items to provisioning packages for Surface Hub: -- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange. -- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev. -- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. -- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). - - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Click **Advanced provisioning**. - - ![ICD start options](images/ICDstart-option.PNG) - -3. Name your project and click **Next**. - -4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. - - ![ICD new project](images/icd-new-project.png) - -5. In the project, under **Available customizations**, select **Common Team edition settings**. - - ![ICD common settings](images/icd-common-settings.png) - - -### Add a certificate to your package -You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. - -> [!NOTE] -> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. - -2. Enter a **CertificateName** and then click **Add**. - -2. Enter the **CertificatePassword**. - -3. For **CertificatePath**, browse and select the certificate. - -4. Set **ExportCertificate** to **False**. - -5. For **KeyLocation**, select **Software only**. - - -### Add a Universal Windows Platform (UWP) app to your package -Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business. - -1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. - -2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. - -3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). - -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. - -If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package. - -1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". - -2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. - -3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. - -4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. - - -### Add a policy to your package -Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. - -2. Select one of the available policy areas. - -3. Select and set the policy you want to add to your provisioning package. - - -### Add Surface Hub settings to your package - -You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. - -1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. - -2. Select one of the available setting areas. - -3. Select and set the setting you want to add to your provisioning package. - - -## Build your package - -1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. - -2. Read the warning that project files may contain sensitive information, and click **OK**. - - > [!IMPORTANT] - > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -3. On the **Export** menu, click **Provisioning package**. - -4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. - -5. Set a value for **Package Version**, and then select **Next.** - - > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. - -6. Optional: You can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. - - > [!IMPORTANT] - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

-Optionally, you can click **Browse** to change the default output location. - -8. Click **Next**. - -9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. - - -## Apply a provisioning package to Surface Hub - -There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). - - -### Apply a provisioning package during first run - -> [!IMPORTANT] -> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. - -1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. - -2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. - - ![Set up device?](images/provisioningpackageoobe-01.png) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/provisioningpackageoobe-02.png) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. - - ![Choose a package](images/provisioningpackageoobe-03.png) - -5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program. - - ![Do you trust this package?](images/provisioningpackageoobe-04.png) - - -### Apply a package using Settings - -1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. - -2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. - -3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. - -4. Select **Add a package**. - -5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. - -6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md new file mode 100644 index 0000000000..0d3604f6ad --- /dev/null +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -0,0 +1,319 @@ +--- +title: Create provisioning packages (Surface Hub) +description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. +ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 +keywords: add certificate, provisioning package +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerMS +localizationpriority: medium +--- + +# Create provisioning packages (Surface Hub) + +This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. + +You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app. + + +## Advantages +- Quickly configure devices without using a mobile device management (MDM) provider. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages) + + +## Requirements + +To create and apply a provisioning package to a Surface Hub, you'll need the following: + +- Windows Configuration Designer, which can be installed from Windows Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd) +- A USB stick. +- If you apply the package using the **Settings** app, you'll need device admin credentials. + +You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. + + +## Supported items for Surface Hub provisioning packages + +Using the **Provision Surface Hub devices** wizard, you can: + +- Enroll in Active Directory, Azure Active Directory, or MDM +- Create an device administrator account +- Add applications and certificates +- Configure proxy settings +- Add a Surface Hub configuration file + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard. + +Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub: + +- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies). +- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). + +>[!TIP] +> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings. +> +>![open advanced editor](images/icd-simple-edit.png) + +## Use the Surface Hub provisioning wizard + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Provision Surface Hub devices**. + +3. Name your project and click **Next**. + +### Configure settings + + + + + + + + + +
![step one](images/one.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step two](images/two.png) ![configure proxy settings](images/proxy.png)

Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**.

If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server). 		![configure proxy settings](images/proxy-details.png)
![step three](images/three.png) ![device admins](images/set-up-device-admins.png)

You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/set-up-device-admins-details.png)
![step four](images/four.png) ![enroll in device management](images/enroll-mdm.png)

Toggle **Yes** or **No** for enrollment in MDM.

If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)		![enroll in mobile device management](images/enroll-mdm-details.png)
![step five](images/five.png) ![add applications](images/add-applications.png)

You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps).

**Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail. 		![add an application](images/add-applications-details.png)
![step six](images/six.png) ![Add configuration file](images/add-config-file.png)

You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.

**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. 		![Add a Surface Hub configuration file](images/add-config-file-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +## Sample configuration file + +A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. + +Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format: + +``` +,, +``` +>[!IMPORTANT] +>Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM. + + +The following is an example of `SurfaceHubConfiguration.csv`. + +``` +Rainier@contoso.com,password,Rainier Surface Hub +Adams@contoso.com,password,Adams Surface Hub +Baker@contoso.com,password,Baker Surface Hub +Glacier@constoso.com,password,Glacier Surface Hub +Stuart@contoso.com,password,Stuart Surface Hub +Fernow@contoso.com,password,Fernow Surface Hub +Goode@contoso.com,password,Goode Surface Hub +Shuksan@contoso.com,password,Shuksan Surface Hub +Buckner@contoso.com,password,Buckner Surface Hub +Logan@contoso.com,password,Logan Surface Hub +Maude@consoto.com,password,Maude Surface hub +Spickard@contoso.com,password,Spickard Surface Hub +Redoubt@contoso.com,password,Redoubt Surface Hub +Dome@contoso.com,password,Dome Surface Hub +Eldorado@contoso.com,password,Eldorado Surface Hub +Dragontail@contoso.com,password,Dragontail Surface Hub +Forbidden@contoso.com,password,Forbidden Surface Hub +Oval@contoso.com,password,Oval Surface Hub +StHelens@contoso.com,password,St Helens Surface Hub +Rushmore@contoso.com,password,Rushmore Surface Hub +``` + +## Use advanced provisioning + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package (advanced) + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Advanced provisioning**. + +3. Name your project and click **Next**. + +4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. + + ![ICD new project](images/icd-new-project.png) + +5. In the project, under **Available customizations**, select **Common Team edition settings**. + + ![ICD common settings](images/icd-common-settings.png) + + +### Add a certificate to your package +You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. + +> [!NOTE] +> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add a Universal Windows Platform (UWP) app to your package +Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. + +2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. + +If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package. + +1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". + +2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. + +3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. + +4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. + + +### Add a policy to your package +Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. + +2. Select one of the available policy areas. + +3. Select and set the policy you want to add to your provisioning package. + + +### Add Surface Hub settings to your package + +You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. + +1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. + +2. Select one of the available setting areas. + +3. Select and set the setting you want to add to your provisioning package. + + +## Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. + + > [!IMPORTANT] + > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. + +5. Set a value for **Package Version**, and then select **Next.** + + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. + +6. Optional: You can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. + + > [!IMPORTANT] + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+Optionally, you can click **Browse** to change the default output location. + +8. Click **Next**. + +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. + + +## Apply a provisioning package to Surface Hub + +There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). + + +### Apply a provisioning package during first run + +> [!IMPORTANT] +> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. + +1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. + +2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. + + ![Set up device?](images/provisioningpackageoobe-01.png) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/provisioningpackageoobe-02.png) + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. + + ![Choose a package](images/provisioningpackageoobe-03.png) + +5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + ![Do you trust this package?](images/provisioningpackageoobe-04.png) + +6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub. + + ![select a configuration](images/ppkg-config.png) + +7. In **Select a configuration**, select the device name to apply, and then click **Next**. + + ![select a friendly device name](images/ppkg-csv.png) + +The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive. + +### Apply a package using Settings + +1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. + +2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. + +3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. + +4. Select **Add a package**. + +5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. + +6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index 41588251fe..57bd619f8b 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 2354de0f40..6e6b8b5317 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 95b7c2c92f..96310f473c 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index a77cf5850f..d8e7f921c0 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md new file mode 100644 index 0000000000..537d6c55a9 --- /dev/null +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -0,0 +1,31 @@ +--- +title: What's new in Windows 10, version 1703 for Surface Hub +description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: devices +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# What's new in Windows 10, version 1703 for Microsoft Surface Hub? + +Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub: + + +- Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [Learn more about the new settings.](manage-settings-with-mdm-for-surface-hub.md) + +- An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md) + +- When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery) + >[!NOTE] + >Cloud recovery doesn't work if you use proxy servers. + +- **I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) + + + + + + diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cc3bd57b95..ff05c19f62 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index fbed027215..512cf6b4bf 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -3,7 +3,7 @@ title: Use fully qualified doman name with Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -16,7 +16,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp **To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**. -2. Click **This device**, and then click **Calling**. +2. Click **Surface Hub**, and then click **Calling & Audio**. 3. Under **Skype for Business configuration**, click **Configure domain name**. 4. Type the domain name for your Skype for Business server, and then click **Ok**. > [!TIP] diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 16fd8c71d1..4ff4665c6a 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 0ccd6ad70d..db080ce397 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, networking -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Choose a wireless access point 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. +2. Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. ![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png) @@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Review wireless settings 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. +2. Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. 3. Surface Hub shows you the properties for the wireless network connection. ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png) diff --git a/license.md b/license.md deleted file mode 100644 index 0e5cb57b99..0000000000 --- a/license.md +++ /dev/null @@ -1,7 +0,0 @@ -Copyright (c) Microsoft Corporation. Distributed under the following terms: - -1. Microsoft and any contributors to this project each grants you a license, under its respective copyrights, to the documentation under the [Creative Commons Attribution 3.0 United States License](http://creativecommons.org/licenses/by/3.0/us/legalcode). In addition, with respect to any sample code contained in the documentation, Microsoft and any such contributors grants you an additional license, under its respective intellectual property rights, to use the code to develop or design your software for Microsoft Windows. - -2. Microsoft, Windows, and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. This license does not grant you rights to use any names, logos, or trademarks. For Microsoft’s general trademark guidelines, go to [https://go.microsoft.com/fwlink/?LinkID=254653](https://go.microsoft.com/fwlink/?LinkID=254653). - -3. Microsoft and any contributors reserves all others rights, whether under copyrights, patents, or trademarks, or by implication, estoppel or otherwise. diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md index de79f737e1..7051cc29db 100644 --- a/windows/configure/TOC.md +++ b/windows/configure/TOC.md @@ -3,28 +3,30 @@ ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) ## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) +### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) ### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) ### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) ## [Configure Windows 10 Mobile devices](configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) -### [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) +#### [NFC-based device provisioning](provisioning-nfc.md) +#### [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md) +### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md) ### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) ### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) ### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) ## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) -### [Windows Spotlight on the lock screen](windows-spotlight.md) +### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) ### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) #### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) #### [Customize and export Start layout](customize-and-export-start-layout.md) #### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -#### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) #### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -#### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -#### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) #### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) ## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) ### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) @@ -45,14 +47,14 @@ ## [Provisioning packages for Windows 10](provisioning-packages.md) ### [How provisioning works in Windows 10](provisioning-how-it-works.md) ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) -### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +### [Install Windows Configuration Designer](provisioning-install-icd.md) ### [Create a provisioning package](provisioning-create-package.md) ### [Apply a provisioning package](provisioning-apply-package.md) ### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) +### [Provision PCs with common settings for initial deployment (desktop wizard)](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps](provision-pcs-with-apps.md) ### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -### [NFC-based device provisioning](provisioning-nfc.md) +### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) ### [Windows ICD command-line interface (reference)](provisioning-command-line.md) ### [Create a provisioning package with multivariant settings](provisioning-multivariant.md) ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) diff --git a/windows/configure/configure-mobile.md b/windows/configure/configure-mobile.md index fdef1fa5f8..db4bb93e0f 100644 --- a/windows/configure/configure-mobile.md +++ b/windows/configure/configure-mobile.md @@ -1,5 +1,5 @@ --- -title: configure mobile +title: Configure Windows 10 Mobile devices description: keywords: Windows 10, MDM, WSUS, Windows update ms.prod: w10 @@ -10,5 +10,19 @@ localizationpriority: high author: jdeckerMS --- -# configure mobile +# Configure Windows 10 Mobile devices + +Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. | +| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. | +| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. | +| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. | +| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. | +| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. | +| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. | diff --git a/windows/configure/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md index 102272ce54..cbff20b284 100644 --- a/windows/configure/customize-and-export-start-layout.md +++ b/windows/configure/customize-and-export-start-layout.md @@ -36,7 +36,7 @@ You can deploy the resulting .xml file to devices using one of the following met - [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) @@ -47,7 +47,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -70,7 +70,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group. -## Export the Start layout + +## Export the Start layout When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file. diff --git a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md index 47b68d045b..5a2c3940fa 100644 --- a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with Group Policy (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. +title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 @@ -19,7 +19,7 @@ localizationpriority: high >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. @@ -33,7 +33,7 @@ This topic describes how to update Group Policy settings to display a customized ## Operating system requirements -Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro. +Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, version 1607. Start and taskbar layout control is supported in Windows 10 Pro in Windows 10, version 1703. The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base. diff --git a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md index 2ccace55f5..16f95659b2 100644 --- a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. +title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10) +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 keywords: ["start screen", "start menu"] ms.prod: w10 @@ -10,7 +10,7 @@ author: jdeckerMS localizationpriority: medium --- -# Customize Windows 10 Start with mobile device management (MDM) +# Customize Windows 10 Start and taskbar with mobile device management (MDM) **Applies to** @@ -18,18 +18,17 @@ localizationpriority: medium - Windows 10 - Windows 10 Mobile -**Looking for consumer information?** +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +>[!NOTE] +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -> **Note:** Customized taskbar configuration cannot be applied using MDM at this time. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -**Warning**   -When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. +>[!WARNING]  +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.   @@ -40,8 +39,8 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >[!NOTE]   + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.   diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 7cc8395f8b..aded7204d4 100644 --- a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10) +title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC keywords: ["Start layout", "start menu"] @@ -10,7 +10,7 @@ author: jdeckerMS localizationpriority: medium --- -# Customize Windows 10 Start and taskbar with ICD and provisioning packages +# Customize Windows 10 Start and taskbar with provisioning packages **Applies to** @@ -18,16 +18,14 @@ localizationpriority: medium - Windows 10 - Windows 10 Mobile -**Looking for consumer information?** +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. >[!IMPORTANT] >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. ## How Start layout control works @@ -42,17 +40,18 @@ Three features enable Start and taskbar layout control: - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. -- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. +- In Windows Configuration Designer, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. ## Create a provisioning package that contains a customized Start layout -Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). + 2. Choose **Advanced provisioning**. 3. Name your project, and click **Next**. diff --git a/windows/configure/guidelines-for-assigned-access-app.md b/windows/configure/guidelines-for-assigned-access-app.md index 0552f8af1a..30dd845161 100644 --- a/windows/configure/guidelines-for-assigned-access-app.md +++ b/windows/configure/guidelines-for-assigned-access-app.md @@ -20,7 +20,7 @@ localizationpriority: high You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. -The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607. +The following guidelines may help you choose an appropriate Windows app for your assigned access experience. ## General guidelines @@ -82,19 +82,7 @@ The above guidelines may help you select or develop an appropriate Windows app f [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) -## Related topics -[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) - -[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) - -    diff --git a/windows/configure/images/account-management-details.PNG b/windows/configure/images/account-management-details.PNG new file mode 100644 index 0000000000..e4307d8f7b Binary files /dev/null and b/windows/configure/images/account-management-details.PNG differ diff --git a/windows/configure/images/account-management.PNG b/windows/configure/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/windows/configure/images/account-management.PNG differ diff --git a/windows/configure/images/add-applications-details.PNG b/windows/configure/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/windows/configure/images/add-applications-details.PNG differ diff --git a/windows/configure/images/add-applications.PNG b/windows/configure/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/windows/configure/images/add-applications.PNG differ diff --git a/windows/configure/images/add-certificates-details.PNG b/windows/configure/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/windows/configure/images/add-certificates-details.PNG differ diff --git a/windows/configure/images/add-certificates.PNG b/windows/configure/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/windows/configure/images/add-certificates.PNG differ diff --git a/windows/configure/images/apps.png b/windows/configure/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/windows/configure/images/apps.png differ diff --git a/windows/configure/images/bulk-enroll-mobile-details.PNG b/windows/configure/images/bulk-enroll-mobile-details.PNG new file mode 100644 index 0000000000..8329d39cfc Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile-details.PNG differ diff --git a/windows/configure/images/bulk-enroll-mobile.PNG b/windows/configure/images/bulk-enroll-mobile.PNG new file mode 100644 index 0000000000..812b57e8e0 Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile.PNG differ diff --git a/windows/configure/images/developer-setup.PNG b/windows/configure/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/windows/configure/images/developer-setup.PNG differ diff --git a/windows/configure/images/finish-details-mobile.PNG b/windows/configure/images/finish-details-mobile.PNG new file mode 100644 index 0000000000..c25a6b4b2f Binary files /dev/null and b/windows/configure/images/finish-details-mobile.PNG differ diff --git a/windows/configure/images/finish-details.png b/windows/configure/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/windows/configure/images/finish-details.png differ diff --git a/windows/configure/images/finish-mobile.PNG b/windows/configure/images/finish-mobile.PNG new file mode 100644 index 0000000000..336e24289e Binary files /dev/null and b/windows/configure/images/finish-mobile.PNG differ diff --git a/windows/configure/images/finish.PNG b/windows/configure/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/windows/configure/images/finish.PNG differ diff --git a/windows/configure/images/icd-create-options-1703.PNG b/windows/configure/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/configure/images/icd-create-options-1703.PNG differ diff --git a/windows/configure/images/icd-desktop-1703.PNG b/windows/configure/images/icd-desktop-1703.PNG new file mode 100644 index 0000000000..7c060af4d0 Binary files /dev/null and b/windows/configure/images/icd-desktop-1703.PNG differ diff --git a/windows/configure/images/kiosk-account-details.PNG b/windows/configure/images/kiosk-account-details.PNG new file mode 100644 index 0000000000..53c31880ea Binary files /dev/null and b/windows/configure/images/kiosk-account-details.PNG differ diff --git a/windows/configure/images/kiosk-account.PNG b/windows/configure/images/kiosk-account.PNG new file mode 100644 index 0000000000..f78f9b9d56 Binary files /dev/null and b/windows/configure/images/kiosk-account.PNG differ diff --git a/windows/configure/images/kiosk-common-details.PNG b/windows/configure/images/kiosk-common-details.PNG new file mode 100644 index 0000000000..5eda9b293e Binary files /dev/null and b/windows/configure/images/kiosk-common-details.PNG differ diff --git a/windows/configure/images/kiosk-common.PNG b/windows/configure/images/kiosk-common.PNG new file mode 100644 index 0000000000..f5873a53aa Binary files /dev/null and b/windows/configure/images/kiosk-common.PNG differ diff --git a/windows/configure/images/ld-apps.PNG b/windows/configure/images/ld-apps.PNG new file mode 100644 index 0000000000..ef65ff9a52 Binary files /dev/null and b/windows/configure/images/ld-apps.PNG differ diff --git a/windows/configure/images/ld-buttons.PNG b/windows/configure/images/ld-buttons.PNG new file mode 100644 index 0000000000..d89eff3b35 Binary files /dev/null and b/windows/configure/images/ld-buttons.PNG differ diff --git a/windows/configure/images/ld-connect.PNG b/windows/configure/images/ld-connect.PNG new file mode 100644 index 0000000000..15094b0e2b Binary files /dev/null and b/windows/configure/images/ld-connect.PNG differ diff --git a/windows/configure/images/ld-csp.PNG b/windows/configure/images/ld-csp.PNG new file mode 100644 index 0000000000..6d7caa5163 Binary files /dev/null and b/windows/configure/images/ld-csp.PNG differ diff --git a/windows/configure/images/ld-export.PNG b/windows/configure/images/ld-export.PNG new file mode 100644 index 0000000000..970e5939bc Binary files /dev/null and b/windows/configure/images/ld-export.PNG differ diff --git a/windows/configure/images/ld-other.PNG b/windows/configure/images/ld-other.PNG new file mode 100644 index 0000000000..c8b5f7518a Binary files /dev/null and b/windows/configure/images/ld-other.PNG differ diff --git a/windows/configure/images/ld-pair.PNG b/windows/configure/images/ld-pair.PNG new file mode 100644 index 0000000000..0859810e73 Binary files /dev/null and b/windows/configure/images/ld-pair.PNG differ diff --git a/windows/configure/images/ld-quick.PNG b/windows/configure/images/ld-quick.PNG new file mode 100644 index 0000000000..63a6173103 Binary files /dev/null and b/windows/configure/images/ld-quick.PNG differ diff --git a/windows/configure/images/ld-settings.PNG b/windows/configure/images/ld-settings.PNG new file mode 100644 index 0000000000..eb6a37d925 Binary files /dev/null and b/windows/configure/images/ld-settings.PNG differ diff --git a/windows/configure/images/ld-start.PNG b/windows/configure/images/ld-start.PNG new file mode 100644 index 0000000000..4081f3e1e2 Binary files /dev/null and b/windows/configure/images/ld-start.PNG differ diff --git a/windows/configure/images/ld-sync.PNG b/windows/configure/images/ld-sync.PNG new file mode 100644 index 0000000000..3f54d910ac Binary files /dev/null and b/windows/configure/images/ld-sync.PNG differ diff --git a/windows/configure/images/ldstore.PNG b/windows/configure/images/ldstore.PNG new file mode 100644 index 0000000000..63f0eedee7 Binary files /dev/null and b/windows/configure/images/ldstore.PNG differ diff --git a/windows/configure/images/lily.jpg b/windows/configure/images/lily.jpg new file mode 100644 index 0000000000..eb144d1f2b Binary files /dev/null and b/windows/configure/images/lily.jpg differ diff --git a/windows/configure/images/set-up-device-details-desktop.PNG b/windows/configure/images/set-up-device-details-desktop.PNG new file mode 100644 index 0000000000..97c8a1b704 Binary files /dev/null and b/windows/configure/images/set-up-device-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-device-details-mobile.PNG b/windows/configure/images/set-up-device-details-mobile.PNG new file mode 100644 index 0000000000..f41fe99a72 Binary files /dev/null and b/windows/configure/images/set-up-device-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-device-details.PNG b/windows/configure/images/set-up-device-details.PNG new file mode 100644 index 0000000000..031dac6fe6 Binary files /dev/null and b/windows/configure/images/set-up-device-details.PNG differ diff --git a/windows/configure/images/set-up-device-mobile.PNG b/windows/configure/images/set-up-device-mobile.PNG new file mode 100644 index 0000000000..b8173385d4 Binary files /dev/null and b/windows/configure/images/set-up-device-mobile.PNG differ diff --git a/windows/configure/images/set-up-device.PNG b/windows/configure/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/windows/configure/images/set-up-device.PNG differ diff --git a/windows/configure/images/set-up-network-details-desktop.PNG b/windows/configure/images/set-up-network-details-desktop.PNG new file mode 100644 index 0000000000..83911ccbd0 Binary files /dev/null and b/windows/configure/images/set-up-network-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-network-details-mobile.PNG b/windows/configure/images/set-up-network-details-mobile.PNG new file mode 100644 index 0000000000..8f515ba1f6 Binary files /dev/null and b/windows/configure/images/set-up-network-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-network-details.PNG b/windows/configure/images/set-up-network-details.PNG new file mode 100644 index 0000000000..778b8497c4 Binary files /dev/null and b/windows/configure/images/set-up-network-details.PNG differ diff --git a/windows/configure/images/set-up-network-mobile.PNG b/windows/configure/images/set-up-network-mobile.PNG new file mode 100644 index 0000000000..9442b33e90 Binary files /dev/null and b/windows/configure/images/set-up-network-mobile.PNG differ diff --git a/windows/configure/images/set-up-network.PNG b/windows/configure/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/windows/configure/images/set-up-network.PNG differ diff --git a/windows/configure/images/seven.png b/windows/configure/images/seven.png new file mode 100644 index 0000000000..285a92df0b Binary files /dev/null and b/windows/configure/images/seven.png differ diff --git a/windows/configure/images/six.png b/windows/configure/images/six.png index 8bf761ef20..e8906332ec 100644 Binary files a/windows/configure/images/six.png and b/windows/configure/images/six.png differ diff --git a/windows/configure/images/startannotated.png b/windows/configure/images/startannotated.png index d46f3a70c2..9261fd9078 100644 Binary files a/windows/configure/images/startannotated.png and b/windows/configure/images/startannotated.png differ diff --git a/windows/configure/index.md b/windows/configure/index.md index eceae9b24b..bbe9b61e15 100644 --- a/windows/configure/index.md +++ b/windows/configure/index.md @@ -18,17 +18,17 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | -| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | se this article to make informed decisions about how you can configure Windows telemetry in your organization. | -| [Manage connections from Windows operating system components to Microsoft services] (manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | +| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | -| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | | -| [Configure Windows 10 Mobile devices](configure-mobile.md) | | -| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | | -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | | +| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Configure Windows 10 Mobile devices](configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | +| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | | [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. | -| [Provisioning packages for Windows 10](provisioning-packages.md) | | +| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. | | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. | -| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | | +| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. | diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md index e434735152..2afc67e022 100644 --- a/windows/configure/kiosk-shared-pc.md +++ b/windows/configure/kiosk-shared-pc.md @@ -1,14 +1,23 @@ --- -title: kiosk shared pc (Windows 10) +title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) description: -keywords: Windows 10, MDM, WSUS, Windows update ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: high +localizationpriority: medium author: jdeckerMS --- -# kiosk shared pc +# Configure kiosk and shared devices running Windows desktop editions +Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | +| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | +| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configure/lock-down-windows-10-to-specific-apps.md b/windows/configure/lock-down-windows-10-to-specific-apps.md index 8ab992a6f0..8ae79ef7f2 100644 --- a/windows/configure/lock-down-windows-10-to-specific-apps.md +++ b/windows/configure/lock-down-windows-10-to-specific-apps.md @@ -112,14 +112,11 @@ In addition to specifying the apps that users can run, you should also restrict To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). -## Customize Start screen layout for the device +## Customize Start screen layout for the device (recommended) Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). -## Related topics - -- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)   diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md index 869ce086e1..7525f64aa6 100644 --- a/windows/configure/lockdown-xml.md +++ b/windows/configure/lockdown-xml.md @@ -19,9 +19,9 @@ localizationpriority: high Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. -This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. +This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. -Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). +In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file. > [!NOTE] > On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). @@ -33,17 +33,17 @@ If you're not familiar with CSPs, read [Introduction to configuration service pr Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml. ```xml - - + + - - - - - - - - + + + + + + + + ``` @@ -52,7 +52,8 @@ Let's start by looking at the basic structure of the lockdown XML file. You can The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device. -> **Tip**  Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. +>[!TIP] +>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. ## Action Center @@ -325,27 +326,28 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ![XML for settings](images/SettingsXML.png) -The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings. +The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. ```xml ``` -In the following example, all system setting pages are enabled. +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled. ```xml - - - - - - - - - - + + + + + + + + + ``` @@ -372,10 +374,10 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Start screen size Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). - * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - + - Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). + - Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). + If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) @@ -383,47 +385,50 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Configure additional roles - You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. +You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). +[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). - In the XML file, you define each role with a GUID and name, as shown in the following example: +In the XML file, you define each role with a GUID and name, as shown in the following example: - ```xml - - ``` +```xml + +``` + +You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. +You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - - ```xml +```xml - - - - - - - - + + + + + + + + - - - - - - - + + + + + + + - ``` + +## Validate your XML + +You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd). ## Add lockdown XML to a provisioning package @@ -605,13 +610,12 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - + + + - - + + @@ -706,17 +710,16 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - - + + + + - - + + - - + + @@ -858,13 +861,4 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - +[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) \ No newline at end of file diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md index ffd367b09a..ee7d0aa8b6 100644 --- a/windows/configure/mobile-lockdown-designer.md +++ b/windows/configure/mobile-lockdown-designer.md @@ -1,14 +1,165 @@ --- -title: lockdown designer (Windows 10) +title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10) description: -keywords: Windows 10, MDM, WSUS, Windows update ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: high +localizationpriority: medium author: jdeckerMS --- -# lockdown designer +# Use the Lockdown Designer app to create a Lockdown XML file + +![Lockdown Designer in the Store](images/ldstore.png) + +Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. + +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. + +The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). + + + +## Overview + +Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC. + +>[!NOTE] +>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device. + +Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML. + +When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703. + +>[!NOTE] +>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app. + +## Prepare the test mobile device + +Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer. + +1. Install all apps on the device that you want to include in the configuration, including line-of-business apps. + +2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**. + +3. Read the disclaimer, then click **Yes** to accept the change. + +4. Enable **Device discovery**, and then turn on **Device Portal**. + +## Prepare the PC + +[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. + +If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi. + +If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC: + +1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service. + +2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + >[!NOTE] + >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + + + +## Connect the mobile device to Lockdown Designer + +**Using Wi-Fi** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**. + +2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`. + +3. Click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + +**Using a USB cable** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device. + +3. On the **Project setting** > **General settings** page, click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + + +## Configure your lockdown XML settings + +The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page. + +| Page | Description | +| --- | --- | +| ![Applications](images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner](images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings](images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions](images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons](images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings](images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen](images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | + + +## Validate and export + +On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid. + +>[!WARNING] +>Lockdown Designer cannot validate SyncML that you imported to CSPRunner. + +Click **Export** to generate the XML file for your project. You can select the location to save the file. + +## Create and configure multiple roles + +You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role. + +>[!NOTE] +>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) + +**For each role:** + +1. On the **Project setting** page, click **Role management**. + +2. Click **Add a role**. + +3. Enter a name for the role, and then click **Save**. + +4. Configure the settings for the role as above, but make sure on each page that you select the correct role. + + ![Current role selection box](images/ld-role.png) + + diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md index 86c8e234ff..c23f3d854c 100644 --- a/windows/configure/provision-pcs-for-initial-deployment.md +++ b/windows/configure/provision-pcs-for-initial-deployment.md @@ -10,14 +10,14 @@ author: jdeckerMS localizationpriority: high --- -# Provision PCs with common settings for initial deployment (simple provisioning) +# Provision PCs with common settings for initial deployment (desktop wizard) **Applies to** - Windows 10 -This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. +This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. @@ -32,66 +32,59 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur [Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) -## What does simple provisioning do? +## What does the desktop wizard do? -In a simple provisioning package, you can configure: +The desktop wizard helps you configure the following settings in a provisioning package: -- Device name -- Upgraded product edition -- Wi-Fi network -- Active Directory enrollment -- Local administrator account +- Set device name +- Upgrade product edition +- Configure the device for shared use +- Remove pre-installed software +- Configure Wi-Fi network +- Enroll device in Active Directory or Azure Active Directory +- Create local administrator account +- Add applications and certificates -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. > [!TIP] -> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. - -![open advanced editor](images/icd-simple-edit.png) +> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. +> +>![open advanced editor](images/icd-simple-edit.png) ## Create the provisioning package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). -2. Click **Simple provisioning**. +2. Click **Provision desktop devices**. - ![ICD start options](images/icdstart-option.png) + ![ICD start options](images/icd-create-options-1703.png) -3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. - - ![ICD simple provisioning](images/icd-simple.png) - -4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. - -5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - -6. Click **Set up network**. - -7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. - -8. Click **Enroll into Active Directory**. - -9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. - - > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -10. Click **Finish**. - -11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. - -12. Click **Create**. +3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. + ![ICD desktop provisioning](images/icd-desktop-1703.png) + > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +## Configure settings + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](set-up-shared-or-guest-pc.md)

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details-desktop.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-desktop.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) @@ -107,14 +100,15 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provision-pcs-with-apps-and-certificates.md b/windows/configure/provision-pcs-with-apps-and-certificates.md index 6e4614a977..b5e03dbb14 100644 --- a/windows/configure/provision-pcs-with-apps-and-certificates.md +++ b/windows/configure/provision-pcs-with-apps-and-certificates.md @@ -17,6 +17,7 @@ localizationpriority: high - Windows 10 +DEPRECATED - See [Provision PCs with apps](provision-pcs-with-apps.md) This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. @@ -183,14 +184,15 @@ If your build is successful, the name of the provisioning package, output direct - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md new file mode 100644 index 0000000000..2314c30c16 --- /dev/null +++ b/windows/configure/provision-pcs-with-apps.md @@ -0,0 +1,207 @@ +--- +title: Provision PCs with apps (Windows 10) +description: Add apps to a Windows 10 provisioning package. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provision PCs with apps + + +**Applies to** + +- Windows 10 + + +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. + +When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). + +## Settings for UWP apps + +- **License Path**: Specify the license file if it is an app from the Windows Store. This is optional if you have a certificate for the app. + +- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license. + +- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app + +## Settings for Classic Windows apps + +### MSI installer + +- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. + +### Exe or other installer + +- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags + +- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. + + + +## Add an app using advanced editor in Windows Configuration Designer + + +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. + +2. Add all the files required for the app install, including the data files and the installer. + +3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. + +> [!NOTE] +> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). + + +### Add a universal app to your package + +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. + +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + + ![details for offline app package](images/uwp-family.png) + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + + ![required frameworks for offline app package](images/uwp-dependencies.png) + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. + + - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. + + ![generate license for offline app](images/uwp-license.png) + + - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. + +6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. + +7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file. + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> [!NOTE] +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +### Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add other settings to your package + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). + +### Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +10. Set a value for **Package Version**. + + > [!TIP]   + > You can make changes to existing packages and change the version number to update previously applied packages. + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + + **Important**   + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + - Email + + - USB tether (mobile only) + + - NFC (mobile only) + + + +**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +  + +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md index 1125dd6985..2fa9efb09a 100644 --- a/windows/configure/provisioning-apply-package.md +++ b/windows/configure/provisioning-apply-package.md @@ -42,25 +42,7 @@ Provisioning packages can be applied to a device during the first-run experience ![Do you trust this package?](images/trust-package.png) -6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) ### After setup, from a USB drive, network folder, or SharePoint site @@ -97,23 +79,17 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/configure/provisioning-command-line.md b/windows/configure/provisioning-command-line.md index d5c52aabac..a2e16343b0 100644 --- a/windows/configure/provisioning-command-line.md +++ b/windows/configure/provisioning-command-line.md @@ -1,5 +1,5 @@ --- -title: Windows ICD command-line interface (Windows 10) +title: Windows Configuration Designer command-line interface (Windows 10) description: ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ author: jdeckerMS localizationpriority: high --- -# Windows ICD command-line interface (reference) +# Windows Configuration Designer command-line interface (reference) **Applies to** @@ -16,11 +16,11 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. +You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. -- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges. +- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. -- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). @@ -38,9 +38,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | --- | --- | --- | | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. | | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | -| /StoreFile | No


See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.


**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | +| /StoreFile | No


See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.


**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | | /Variables | No | Specifies a semicolon separated and macro pair. The format for the argument must be =. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.


Precede with + for encryption or - for no encryption. The default is no encryption. | +| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.


Precede with + for encryption or - for no encryption. The default is no encryption. | | Overwrite | No | Denotes whether to overwrite an existing provisioning package.


Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | @@ -51,14 +51,13 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/configure/provisioning-configure-mobile.md b/windows/configure/provisioning-configure-mobile.md index 55a100ecdd..5c1a5048cf 100644 --- a/windows/configure/provisioning-configure-mobile.md +++ b/windows/configure/provisioning-configure-mobile.md @@ -1,7 +1,7 @@ --- -title: provisioning mobile (Windows 10) +title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10) description: -keywords: Windows 10, MDM, WSUS, Windows update +keywords: phone, handheld, lockdown, customize ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -10,5 +10,77 @@ localizationpriority: high author: jdeckerMS --- -# provisioning mobile +# Use Windows Configuration Designer to configure Windows 10 Mobile devices +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. + +A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](provisioning-install-icd.md) + +## Create a provisioning package using the wizard + +The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow. + +### Start a new project + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. On the **Start** page, choose **Provision Windows mobile devices**. + +3. Enter a name for your project, and then click **Next**. + + +### Configure settings in the wizard + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device-mobile.png)

Enter a device name.

Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 		![device name, upgrade license](images/set-up-device-details-mobile.png)
![step two](images/two.png) ![set up network](images/set-up-network-mobile.png)

Toggle **On** or **Off** for wireless network connectivity.

If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-mobile.png)
![step three](images/three.png) ![bulk enrollment in Azure Active Directory](images/bulk-enroll-mobile.png)

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 		![Enter expiration and get bulk token](images/bulk-enroll-mobile-details.png)
![step four](images/four.png) ![finish](images/finish-mobile.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details-mobile.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +### Apply provisioning package + +You can apply a provisioning package to a device running Windows 10 Mobile by using: + +- removable media +- copying the provisioning package to the device +- [NFC tags](provisioning-nfc.md) +- [barcodes](provisioning-package-splitter.md) + +### Using removable media + +1. Insert an SD card containing the provisioning package into the device. +2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. + + ![add a package option](images/packages-mobile.png) + +3. Click **Add**. + +4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + +### Copying the provisioning package to the device + +1. Connect the device to your PC through USB. + +2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. + +3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + + +## Related topics + +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) \ No newline at end of file diff --git a/windows/configure/provisioning-create-package.md b/windows/configure/provisioning-create-package.md index f543e6d10f..a73b54f4f8 100644 --- a/windows/configure/provisioning-create-package.md +++ b/windows/configure/provisioning-create-package.md @@ -16,30 +16,40 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. +You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. ->[Learn how to install Windows ICD.](provisioning-install-icd.md) +>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +>[!TIP] +>We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. ## Start a new project -1. Open Windows ICD: - - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, or - - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. -2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image: +2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png) + ![Configuration Designer wizards](images/icd-create-options-1703.png) - - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. + - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). - >[!TIP] - >You can start a project in the simple editor and then switch the project to the advanced editor. - > - >![Switch to advanced editor](images/icd-switch.png) + - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) + - [Instructions for the mobile wizard](provisioning-configure-mobile.md) + - [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) + - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) + + - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* + + >[!TIP] + > You can start a project in the simple wizard editor and then switch the project to the advanced editor. + > + > ![Switch to advanced editor](images/icd-switch.png) 3. Enter a name for your project, and then click **Next**. @@ -59,19 +69,18 @@ You use Windows Imaging and Configuration Designer (ICD) to create a provisionin >[!TIP] >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. -After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. +After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. + -- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). -- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain). ## Configure settings -For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. +For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. ![What the ICD interface looks like](images/icd-runtime.png) -The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). +The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). The process for configuring settings is similar for all settings. The following table shows an example. @@ -83,9 +92,9 @@ The process for configuring settings is similar for all settings. The following ![step five](images/five.png)
When the setting is configured, it is displayed in the **Selected customizations** pane.![Selected customizations pane](images/icd-step5.png) -For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image. +For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting](images/icd-setting-help.png) ## Build package @@ -110,7 +119,7 @@ For details on each specific setting, see [Windows Provisioning settings referen > >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. 5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. @@ -128,22 +137,21 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Learn more -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/configure/provisioning-how-it-works.md b/windows/configure/provisioning-how-it-works.md index 1f9b72eb6c..349dfd08c2 100644 --- a/windows/configure/provisioning-how-it-works.md +++ b/windows/configure/provisioning-how-it-works.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). +Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Windows Store. ## Provisioning packages @@ -58,9 +58,9 @@ When setting conflicts are encountered, the final values provisioned on the devi Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. -Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. +Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. -When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. +When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. ## Provisioning engine @@ -77,7 +77,7 @@ The provisioning engine provides the following functionality: ## Configuration manager -The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. +The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. @@ -115,9 +115,9 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s ## Device provisioning during OOBE -The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. +The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. -Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. +Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. The following table shows how device provisioning can be initiated when a user first boots to OOBE. @@ -125,17 +125,15 @@ The following table shows how device provisioning can be initiated when a user f | Package delivery | Initiation method | Supported device | | --- | --- | --- | | Removable media - USB drive or SD card
(Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices | -| From an administrator device through machine to machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | +| From an administrator device through machine-to-machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | -The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. +The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). ## Device provisioning at runtime -At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime. - -The following table shows when provisioning at device runtime can be initiated. +At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated. | Package delivery | Initiation method | Supported device | | --- | --- | --- | @@ -147,7 +145,7 @@ When applying provisioning packages from a removable media attached to the devic When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. -After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device. +After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. ## Learn more @@ -160,15 +158,14 @@ After a standalone provisioning package is applied to the device, the package is ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provisioning-install-icd.md b/windows/configure/provisioning-install-icd.md index 9727bc089d..16ae7f94d5 100644 --- a/windows/configure/provisioning-install-icd.md +++ b/windows/configure/provisioning-install-icd.md @@ -1,6 +1,6 @@ --- -title: Install Windows Imaging and Configuration Designer (Windows 10) -description: Learn how to install and run Windows ICD. +title: Install Windows Configuration Designer (Windows 10) +description: Learn how to install and run Windows Configuration Designer. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,7 +8,7 @@ author: jdeckerMS localizationpriority: high --- -# Install Windows Imaging and Configuration Designer (ICD) +# Install Windows Configuration Designer **Applies to** @@ -16,11 +16,11 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. +Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. ## Supported platforms -Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems: +Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: - Windows 10 - x86 and amd64 - Windows 8.1 Update - x86 and amd64 @@ -33,18 +33,28 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e - Windows Server 2012 - Windows Server 2008 R2 -## Install Windows ICD +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607). +## Install Windows Configuration Designer + +On devices running Windows 10, you can install [the Windows Configuration Designer app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +>[!NOTE] +>If you install Windows Configuration Designer from both the ADK and Windows Store, the Store app will not open. +> +>The Windows Configuration Designer App from Windows Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK. + +1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703). >[!NOTE] - >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example. + >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example. 2. Save **adksetup.exe** and then run it. 3. On the **Specify Location** page, select an installation path and then click **Next**. >[!NOTE] - >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB. + >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB. 4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. 5. Accept the **License Agreement**, and then click **Next**. @@ -53,24 +63,24 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e ![Only Configuration Designer selected for installation](images/icd-install.png) -## Current Windows ICD limitations +## Current Windows Configuration Designer limitations -- You can only run one instance of Windows ICD on your computer at a time. +- You can only run one instance of Windows Configuration Designer on your computer at a time. - Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. -- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). -- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time. +- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time. -- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. +- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. -- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. +- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. - For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC. + For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC. -- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. +- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. **Next step**: [How to create a provisioning package](provisioning-create-package.md) @@ -88,10 +98,9 @@ Windows ICD can create provisioning packages for Windows 10 desktop and mobile e - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provisioning-multivariant.md b/windows/configure/provisioning-multivariant.md index d33f1206b5..d28ac354ee 100644 --- a/windows/configure/provisioning-multivariant.md +++ b/windows/configure/provisioning-multivariant.md @@ -302,15 +302,14 @@ The following events trigger provisioning on Windows 10 devices: - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)   diff --git a/windows/configure/provisioning-nfc.md b/windows/configure/provisioning-nfc.md index 114e6d5545..fad3428d0c 100644 --- a/windows/configure/provisioning-nfc.md +++ b/windows/configure/provisioning-nfc.md @@ -17,7 +17,7 @@ localizationpriority: high Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. -The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. +The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. ## Provisioning OOBE UI @@ -131,18 +131,9 @@ For detailed information and code samples on how to implement an NFC-enabled dev ## Related topics -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) +- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)     diff --git a/windows/configure/provisioning-package-splitter.md b/windows/configure/provisioning-package-splitter.md new file mode 100644 index 0000000000..00a62a1ae4 --- /dev/null +++ b/windows/configure/provisioning-package-splitter.md @@ -0,0 +1,88 @@ +--- +title: Barcode provisioning and the package splitter tool (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Barcode provisioning and the package splitter tool + + +**Applies to** + +- Windows 10 Mobile + +Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned. + +The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes. + +Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files. + +The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes. + +When you [install Windows Configuration Designer](provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder. + +## Prerequisites + +Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool. + +- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md). +- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](provisioning-command-line.md). + +## To use the package splitter tool (ppkgtobase64.exe) + +1. Open a command-line window with administrator privileges. + + +2. From the command-line, navigate to the Windows Configuration Designer install directory. + + On an x64 computer, type: + ``` + cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + + - or - + + On an x86 computer, type: + + ``` + cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + +3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command. + + +### Syntax + +``` +ppkgtobase64.exe -i -o -s [-c] [/?] +``` + +### Switches and arguments + +| Switch | Required? | Arguments | +| --- | --- | --- | +| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.

The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. | +| -o | Yes | Use to specify the directory where the output files will be saved. | +| -s | Yes | Use to specify the size of the block that will be encoded in Base64. | +| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. | +| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | + + + + + +## Related topics + + +  + +  + + + + + diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md index 557bf3e595..8732d8c5a3 100644 --- a/windows/configure/provisioning-packages.md +++ b/windows/configure/provisioning-packages.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. @@ -23,59 +23,74 @@ A provisioning package (.ppkg) is a container for a collection of configuration Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. -The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. +The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). -## New in Windows 10, version 1607 -Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios. -![Configuration Designer options](images/icd.png) -Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators: +## New in Windows 10, version 1703 -* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. +- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only. +- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Windows Store. +- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions. +- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning. +- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. +- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors. +- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Windows Store. + - > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) - -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) - -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) - -> [!NOTE] -> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). ## Benefits of provisioning packages Provisioning packages let you: -- Quickly configure a new device without going through the process of installing a new image. +- Quickly configure a new device without going through the process of installing a new image. -- Save time by configuring multiple devices using one provisioning package. +- Save time by configuring multiple devices using one provisioning package. -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. -- Set up a device without the device having network connectivity. +- Set up a device without the device having network connectivity. Provisioning packages can be: -- Installed using removable media such as an SD card or USB flash drive. +- Installed using removable media such as an SD card or USB flash drive. -- Attached to an email. +- Attached to an email. -- Downloaded from a network share. +- Downloaded from a network share. + +- Deployed in NFC tags or barcodes. ## What you can configure +### Configuration Designer wizards -The following table provides some examples of what you can configure using provisioning packages. +The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. + + + + + + + + + +
**Step****Description****Desktop
wizard**		**Mobile
wizard**		**Kiosk
wizard**
Set up deviceAssign device name,
enter product key to upgrade Windows,
configure shared used,
remove pre-installed software		![yes](images/checkmark.png)![yes](images/checkmark.png)
(Only device name and upgrade key)		![yes](images/checkmark.png)
Set up networkConnect to a Wi-Fit network![yes](images/checkmark.png)![yes](images/checkmark.png)![yes](images/checkmark.png)
Account managementEnroll device in Active Directory,
enroll device in Azure Active Directory,
or create a local administrator account		![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).		![no](images/crossmark.png)![yes](images/checkmark.png)![no](images/crossmark.png)
Add applicationsInstall applications using the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Add certificatesInclude a certificate file in the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Configure kiosk account and appCreate local account to run the kiosk mode app,
specify the app to run in kiosk mode		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Configure kiosk common settingsSet tablet mode,
configure welcome and shutdown screens,
turn off timeout settings		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
+ +- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) +- [Instructions for the mobile wizard](provisioning-configure-mobile.md) +- [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + + + +>[!NOTE] +>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. + +### Configuration Designer advanced editor + +The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. | Customization options | Examples | |--------------------------|-----------------------------------------------------------------------------------------------| @@ -93,25 +108,52 @@ The following table provides some examples of what you can configure using provi For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). +## Changes to provisioning in Windows 10, version 1607 + +>[!NOTE] +>This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703. + +Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. + +![Configuration Designer options](images/icd.png) + +Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> [!NOTE] +> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). + ## Learn more -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) ## Related topics - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) diff --git a/windows/configure/provisioning-powershell.md b/windows/configure/provisioning-powershell.md new file mode 100644 index 0000000000..508bada17f --- /dev/null +++ b/windows/configure/provisioning-powershell.md @@ -0,0 +1,72 @@ +--- +title: PowerShell cmdlets for provisioning Windows 10 (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# PowerShell cmdlets for provisioning Windows 10 (reference) + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. + + + + + + + + + + + +
CmdletUse this cmdlet toSyntax
Add-ProvisioningPackage Apply a provisioning package```Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-WprpFile ] []```
Remove-ProvisioningPackageRemove a provisioning package ```Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
```Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
Get-ProvisioningPackage Get information about an installed provisioning package ```Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
```Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
Export-ProvisioningPackage Extract the contents of a provisioning package ```Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
```Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store ```Install-TrustedProvisioningCertificate ```
Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the **Uninstall-TrustedProvisioningCertificate** cmdlet```Get-TrustedProvisioningCertificate```
Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificate```Uninstall-TrustedProvisioningCertificate ```
+ +>[!NOTE] +> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` + +Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: + +- ProvTrace.<timestamp>.ETL - ETL trace file, unfiltered +- ProvTrace.<timestamp>.XML - ETL trace file converted into raw trace events, unfiltered +- ProvTrace.<timestamp>.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file +- ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file + + + +>[!NOTE] +>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. + + +## Related topics + +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + + + +  + +  + + + + + diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md index 8754c66299..20ada61de8 100644 --- a/windows/configure/provisioning-script-to-install-app.md +++ b/windows/configure/provisioning-script-to-install-app.md @@ -168,21 +168,21 @@ Here’s a table describing this relationship, using the PowerShell example from ### Add script to provisioning package -When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). +When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. -Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: +Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: ``` cmd /c InstallMyApp.bat ``` -In ICD, this looks like: +In Windows Configuration Designer, this looks like: ![Command line in Selected customizations](images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. -In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. +In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. ![Command files in Selected customizations](images/icd-script2.png) @@ -211,12 +211,11 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/configure/provisioning-uninstall-package.md b/windows/configure/provisioning-uninstall-package.md index b3836ede88..e4ee9c442e 100644 --- a/windows/configure/provisioning-uninstall-package.md +++ b/windows/configure/provisioning-uninstall-package.md @@ -27,7 +27,7 @@ Only settings in the following lists are revertible. ## Registry-based settings -The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). +The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer. - [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx) @@ -78,14 +78,13 @@ Here is the list of revertible settings based on configuration service providers - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/configure/set-up-a-device-for-anyone-to-use.md b/windows/configure/set-up-a-device-for-anyone-to-use.md index f274498ed1..7a58deaa8f 100644 --- a/windows/configure/set-up-a-device-for-anyone-to-use.md +++ b/windows/configure/set-up-a-device-for-anyone-to-use.md @@ -1,5 +1,5 @@ --- -title: Set up a device for anyone to use (kiosk mode) (Windows 10) +title: Set up a device for anyone to use in kiosk mode (Windows 10) description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 keywords: ["kiosk", "lockdown", "assigned access"] @@ -8,6 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS localizationpriority: high +redirect_url: https://technet.microsoft.com/itpro/windows/configure/kiosk-shared-pc --- # Set up a device for anyone to use (kiosk mode) diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 211f47f9c2..e9f19dfa8f 100644 --- a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -19,52 +19,65 @@ localizationpriority: high > **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) -A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). +A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. -**Note**   -A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. +- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). + + or + +- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). + + or + +- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). + +To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). + +>[!NOTE] +>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.   -## Other settings to lock down -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +## Set up a kiosk using Windows Configuration Designer -- Put device in **Tablet mode**. +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -- Hide **Ease of access** feature on the logon screen. - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +[Install Windows Configuration Designer](provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. -- Disable the hardware power button. - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -- Remove the power button from the sign-in screen. + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

**Important:** You must use the Windows Configuration Designer app from Windows Store to select a Classic Windows application as the kiosk app in a provisioning package.

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
- Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -- Disable the camera. +>[!NOTE] +>If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -- Turn off app notifications on the lock screen. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -- Disable removable media. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. +[Learn how to apply a provisioning package.](provisioning-apply-package.md) - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.   - -## Assigned access method for Universal Windows apps + +## Assigned access method for Universal Windows apps Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: @@ -73,7 +86,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo | --- | --- | --- | | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education | | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | @@ -88,8 +101,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. -**Note**   -Assigned access does not work on a device that is connected to more than one monitor. +>[!NOTE]   +>Assigned access does not work on a device that is connected to more than one monitor.   @@ -105,7 +118,7 @@ Assigned access does not work on a device that is connected to more than one mon 5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. -To remove assigned access, in step 3, choose **Don't use assigned access**. +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. ### Set up assigned access in MDM @@ -115,69 +128,9 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) + -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**Create a provisioning package for a kiosk device** - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. - -7. Enter a string to specify the user account and app (by AUMID). For example: - - "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -**Apply the provisioning package** - -1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. - -2. Consent to allow the package to be installed. - - After you allow the package to be installed, the settings will be applied to the device - -[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) ### Set up assigned access using Windows PowerShell @@ -201,7 +154,9 @@ Set-AssignedAccess -AppName -UserName Set-AssignedAccess -AppName -UserSID ``` -> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). @@ -223,8 +178,8 @@ Edit the registry to have an account automatically logged on. 1. Open Registry Editor (regedit.exe). - **Note**   - If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).   2. Go to @@ -239,7 +194,8 @@ Edit the registry to have an account automatically logged on. - *DefaultPassword*: set value as the password for the account. - > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. @@ -255,11 +211,15 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. -## Shell Launcher for Classic Windows applications + +## Shell Launcher for Classic Windows applications Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. +>[!NOTE] +>You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). + ### Requirements - A domain or local user account. @@ -274,10 +234,13 @@ To set a Classic Windows application as the shell, you first turn on the Shell L **To turn on Shell Launcher in Windows features** -1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. -2. Select **Embedded Shell Launcher** and **OK**. +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. -Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. **To turn on Shell Launcher using DISM** @@ -425,19 +388,46 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled ``` +## Other settings to lock down + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +- Put device in **Tablet mode**. + + If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** + +- Hide **Ease of access** feature on the logon screen. + + Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. + +- Disable the hardware power button. + + Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. + +- Remove the power button from the sign-in screen. + + Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** + +- Disable the camera. + + Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. + +- Turn off app notifications on the lock screen. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. + +- Disable removable media. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. + + >[!NOTE]   + >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +  ## Related topics - -[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Manage and update Windows 10](index.md) - -  - -  - +- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 1a11ff9c20..3ef7f7e374 100644 --- a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -18,51 +18,18 @@ localizationpriority: high - Windows 10 Mobile -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. -**Note**   -The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - -  - -## Apps Corner +A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.) -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back](images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). - - **Tip**   - Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -   - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Enterprise Assigned Access -Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. +Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. -**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. +>[!NOTE] +>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.   @@ -72,21 +39,24 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r [See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) +### Set up assigned access using Windows Configuration Designer -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -**To create and apply a provisioning package for a kiosk device** +#### Create the *AssignedAccess*.xml file 1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - **Note**   - Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + >[!NOTE] + >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + +#### Create the provisioning package -   +1. [Install Windows Configuration Designer.](provisioning-install-icd.md) + +2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). 3. Choose **Advanced provisioning**. @@ -130,55 +100,91 @@ When you build a provisioning package, you may include sensitive information in - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: +17. Select the **output location** link to go to the location of the package. - - Removable media (USB/SD) +#### Distribute the provisioning package - **To apply a provisioning package from removable media** +You can distribute that .ppkg to mobile devices using any of the following methods: - 1. Copy the provisioning package file to the root directory on a micro SD card. +- Removable media (USB/SD) - 2. On the device, insert the micro SD card containing the provisioning package. + **To apply a provisioning package from removable media** - 3. Go to **Settings** > **Accounts** > **Provisioning.** + 1. Copy the provisioning package file to the root directory on a micro SD card. - 4. Tap **Add a package**. + 2. On the device, insert the micro SD card containing the provisioning package. - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. + 3. Go to **Settings** > **Accounts** > **Provisioning.** - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. + 4. Tap **Add a package**. - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - Email + 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package sent in email** + 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Send the provisioning package in email to an account on the device. +- Email - 2. Open the email on the device, and then double-tap the attached file. + **To apply a provisioning package sent in email** - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 1. Send the provisioning package in email to an account on the device. - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 2. Open the email on the device, and then double-tap the attached file. - - USB tether (mobile only) + 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package using USB tether** + 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Connect the device to your PC by USB. +- USB tether - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. + **To apply a provisioning package using USB tether** - 3. The provisioning package installation dialog will appear on the phone. + 1. Connect the device to your PC by USB. - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 3. The provisioning package installation dialog will appear on the phone. - [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) + 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + + +## Apps Corner + +>[!NOTE] +>For Windows 10, versions 1507, 1511, and 1607 only. + +Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. + +**To set up Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. + +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) + +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. + +4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. + +5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. + +6. Press **Back** ![back](images/backicon.png) when you're done. + +**To use Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). + + >[!TIP]   + >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. +   +2. Give the device to someone else, so they can use the device and only the one app you chose. + +3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics @@ -191,9 +197,5 @@ When you build a provisioning package, you may include sensitive information in   -  - - - diff --git a/windows/configure/set-up-shared-or-guest-pc.md b/windows/configure/set-up-shared-or-guest-pc.md index f641f80569..d0998d18c6 100644 --- a/windows/configure/set-up-shared-or-guest-pc.md +++ b/windows/configure/set-up-shared-or-guest-pc.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 -Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. +Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. > [!NOTE] > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. @@ -69,16 +69,16 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) -- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) ### Create a provisioning package for shared use -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +1. [install Windows Configuration Designer](provisioning-install-icd.md) -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer. 2. On the **Start page**, select **Advanced provisioning**. @@ -287,15 +287,10 @@ Shared PC mode sets local group policies to configure the device. Some of these -## Related topics - -[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)   -  - diff --git a/windows/configure/settings-that-can-be-locked-down.md b/windows/configure/settings-that-can-be-locked-down.md index c0348677ba..6e0e342400 100644 --- a/windows/configure/settings-that-can-be-locked-down.md +++ b/windows/configure/settings-that-can-be-locked-down.md @@ -20,7 +20,15 @@ localizationpriority: high This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -## Settings lockdown +## Settings lockdown in Windows 10, version 1703 + +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**. + +See the [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page. + +## Settings lockdown in Windows 10, version 1607 and earlier You can use Lockdown.xml to configure lockdown settings. @@ -451,52 +459,26 @@ You can specify the quick actions as follows: ``` syntax - - - - - - - - - - - - - - + + + + + + + + + + + + + + ``` -Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. -**Note**   -Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. - -  - -The following table lists the dependencies between quick actions and Settings groups/pages. - -| Quick action | Settings group | Settings page | -|-----|-------|-------| -| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | -| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | -| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | -| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | -| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | -| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | -| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | -| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | -| SystemSettings\_Launcher\_QuickNote | N/A | N/A | -| SystemSettings\_Flashlight\_Toggle | N/A | N/A | -| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | -| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | -| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | -| QuickActions\_Launcher\_AllSettings | N/A | N/A | -| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | -| SystemSettings\_QuickAction\_Camera | N/A | N/A |   diff --git a/windows/configure/start-layout-xml-desktop.md b/windows/configure/start-layout-xml-desktop.md index db4bf8dd66..2a8a20dfd2 100644 --- a/windows/configure/start-layout-xml-desktop.md +++ b/windows/configure/start-layout-xml-desktop.md @@ -30,6 +30,9 @@ On Windows 10 for desktop editions, the customized Start works by: >[!NOTE] >Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). +>[!NOTE] +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + ## LayoutModification XML IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. @@ -473,17 +476,13 @@ Once you have created the LayoutModification.xml file and it is present in the d ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)   diff --git a/windows/configure/start-layout-xml-mobile.md b/windows/configure/start-layout-xml-mobile.md index 9d10466302..f25c2d2413 100644 --- a/windows/configure/start-layout-xml-mobile.md +++ b/windows/configure/start-layout-xml-mobile.md @@ -370,17 +370,13 @@ This should set the value of **StartLayout**. The setting appears in the **Selec ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)   diff --git a/windows/configure/start-taskbar-lockscreen.md b/windows/configure/start-taskbar-lockscreen.md index 3216cfabda..966ef97fca 100644 --- a/windows/configure/start-taskbar-lockscreen.md +++ b/windows/configure/start-taskbar-lockscreen.md @@ -1,7 +1,6 @@ --- -title: start tasbkar lockscreen (Windows 10) +title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10) description: -keywords: Windows 10, MDM, WSUS, Windows update ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -10,5 +9,19 @@ localizationpriority: high author: jdeckerMS --- -# start taskbar lockscreen +# Configure Start layout, taskbar, and lock screen for Windows 10 PCs + + +## In this section + +| Topic | Description | +| --- | --- | +| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | +| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Windows Store. | +| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | + + +## Related topics + +- [Configure Windows 10 Mobile devices](configure-mobile.md) \ No newline at end of file diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md index b588216cb5..4829818f49 100644 --- a/windows/configure/windows-10-start-layout-options-and-policies.md +++ b/windows/configure/windows-10-start-layout-options-and-policies.md @@ -1,6 +1,6 @@ --- title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. +description: Organizations might want to deploy a customized Start and taskbar layout to devices. ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A keywords: ["start screen", "start menu"] ms.prod: w10 @@ -19,12 +19,16 @@ localizationpriority: high > **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. +Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. >[!NOTE] >Taskbar configuration is available starting in Windows 10, version 1607. > ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). +>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. +> +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + + ## Start options @@ -34,87 +38,21 @@ Some areas of Start can be managed using Group Policy. The layout of Start tiles The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StartPolicySetting
User tileGroup Policy: Remove Logoff on the Start menu
Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

Suggestions

-

-and-

-

Dynamically inserted app tile

MDM: Allow Windows Consumer Features

-

Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

-
-Note   -

This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

-
-
-  -
Settings > Personalization > Start > Occasionally show suggestions in Start
Recently addednot applicableSettings > Personalization > Start > Show recently added apps
Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
Start layout

MDM: Start layout

-

Group Policy: Start layout

-

Group Policy: Prevent users from customizing their Start Screen

-
-Note   -

When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. -

-
-  -
None
Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
Start size

MDM: Force Start size

-

Group Policy: Force Start to be either full screen size or menu size

Settings > Personalization > Start > Use Start full screen
All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
+| Start | Policy | Local setting | +| --- | --- | --- | +| User tile | MDM: **Start/HideUserTile**
**Start/HideSwitchAccount**
**Start/HideSignOut**
**Start/HideLock**
**Start/HideChangeAccountSettings**

Group Policy: **Remove Logoff on the Start menu** | none | +| Most used | MDM: **Start/HideFrequentlyUsedApps**

Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** | +| Suggestions
-and-
Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**

Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**

**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** | +| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** > **Personalization** > **Start** > **Show recently added apps** | +| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** | +| Power | MDM: **Start/HidePowerButton**
**Start/HideHibernate**
**Start/HideRestart**
**Start/HideShutDown**
**Start/HideSleep**

Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none | +| Start layout | MDM: **Start layout**
**ImportEdgeAssets**

Group Policy: **Prevent users from customizing their Start screen**

**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none | +| Jump lists | MDM: **Start/HideRecentJumplists**

Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** | +| Start size | MDM: **Force Start size**

Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** | +| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** | +| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none | +| Taskbar | MDM: **Start/NoPinningToTaskbar** | none | +  ## Taskbar options @@ -125,15 +63,18 @@ There are three categories of apps that might be pinned to a taskbar: * Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) * Apps pinned by the enterprise, such as in an unattended Windows setup - **Note**   - The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + >[!NOTE] + >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). -> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - ![Windows left, user center, enterprise to the right](images/taskbar-generic.png) +>[!NOTE] +>In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + + + Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: * Pin additional apps * Change the order of pinned apps diff --git a/windows/configure/windows-spotlight.md b/windows/configure/windows-spotlight.md index eb3af0eb51..c3a078d793 100644 --- a/windows/configure/windows-spotlight.md +++ b/windows/configure/windows-spotlight.md @@ -1,5 +1,5 @@ --- -title: Windows Spotlight on the lock screen (Windows 10) +title: Configure Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A keywords: ["lockscreen"] @@ -10,13 +10,14 @@ author: jdeckerMS localizationpriority: high --- -# Windows Spotlight on the lock screen +# Configure Windows Spotlight on the lock screen **Applies to** - Windows 10 + Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. @@ -24,6 +25,8 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en >[!NOTE] >In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. +> +>In Windows 10, version 1703, you can use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. ## What does Windows Spotlight include? @@ -37,6 +40,8 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en - **Feature suggestions, fun facts, tips** The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + + ![fun facts](images/funfacts.png) ## How do you turn off Windows Spotlight locally? @@ -48,27 +53,28 @@ To turn off Windows Spotlight locally, go to **Settings** > **Personalization ## How do you disable Windows Spotlight for managed devices? -Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. +Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. -**Windows 10 Pro, Enterprise, and Education** +| Group Policy | MDM | Description | Applies to | +| --- | --- | --- | --- | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. >[!WARNING] > In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. ![lockscreen policy details](images/lockscreenpolicy.png) -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. + -![fun facts](images/funfacts.png) ## Related topics diff --git a/windows/deploy/images/icd-create-options-1703.PNG b/windows/deploy/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/deploy/images/icd-create-options-1703.PNG differ diff --git a/windows/deploy/images/ur-arch-diagram.png b/windows/deploy/images/ur-arch-diagram.png new file mode 100644 index 0000000000..9c1da1227c Binary files /dev/null and b/windows/deploy/images/ur-arch-diagram.png differ diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md index 5775e4b633..e0c160b723 100644 --- a/windows/deploy/mbr-to-gpt.md +++ b/windows/deploy/mbr-to-gpt.md @@ -378,7 +378,6 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is ## Related topics -[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/) -
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md index b49144c4ca..a16acec410 100644 --- a/windows/deploy/resolve-windows-10-upgrade-errors.md +++ b/windows/deploy/resolve-windows-10-upgrade-errors.md @@ -1,6 +1,6 @@ --- -title: Resolve Windows 10 upgrade errors -description: Resolve Windows 10 upgrade errors +title: Resolve Windows 10 upgrade errors - Windows IT Pro +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback ms.prod: w10 @@ -11,7 +11,7 @@ author: greg-lindsay localizationpriority: high --- -# Resolve Windows 10 upgrade errors +# Resolve Windows 10 upgrade errors : Technical information for IT Pros **Applies to** - Windows 10 @@ -251,13 +251,15 @@ See the following example: ### Analyze log files +>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes). +

To analyze Windows Setup log files:

    -
  1. Determine the Windows Setup error code. +
  2. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
  3. Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
  4. Open the log file in a text editor, such as notepad. -
  5. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +
  6. Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
  7. To find the last occurrence of the result code:
    1. Scroll to the bottom of the file and click after the last character. diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deploy/troubleshoot-upgrade-readiness.md index 700408bdd6..2cc9bf9340 100644 --- a/windows/deploy/troubleshoot-upgrade-readiness.md +++ b/windows/deploy/troubleshoot-upgrade-readiness.md @@ -11,7 +11,7 @@ If you’re having issues seeing data in Upgrade Readiness after running the Upg If you still don’t see data in Upgrade Readiness, follow these steps: -1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included. +1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included . 2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md). diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md index c4cafc8768..93a028f925 100644 --- a/windows/deploy/upgrade-readiness-architecture.md +++ b/windows/deploy/upgrade-readiness-architecture.md @@ -13,7 +13,7 @@ Microsoft analyzes system, application, and driver telemetry data to help you de --> -![Upgrade Readiness architecture](images/upgrade-analytics-architecture.png) +![Upgrade Readiness architecture](images/ur-arch-diagram.png) After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md index e1decfb250..0206b5764e 100644 --- a/windows/deploy/upgrade-readiness-deployment-script.md +++ b/windows/deploy/upgrade-readiness-deployment-script.md @@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following: To run the Upgrade Readiness deployment script: -1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. +1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. 2. Edit the following parameters in RunConfig.bat: diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md index 7436b86607..bb0e2c452d 100644 --- a/windows/deploy/upgrade-readiness-resolve-issues.md +++ b/windows/deploy/upgrade-readiness-resolve-issues.md @@ -53,7 +53,7 @@ For applications assessed as **Attention needed**, review the table below for de | Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | |--------------------|-----------------------------------|-----------|-----------------|------------| | Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
      | No action is required for the upgrade to proceed. | -| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.

      The application may work on the new operating system.
      | Remove the application before upgrading, and reinstall and test on new operating system. | +| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

      The application may work on the new operating system.
      | Remove the application before upgrading, and reinstall and test on new operating system. | | Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
      | | Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
      | | Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

      A compatible version of the application may be available.
      | diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md index ee298dc448..21ff12135a 100644 --- a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -41,7 +41,7 @@ As mentioned previously, the default target version in Upgrade Readiness is set The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610. +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607. To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index d8d43c7528..57c4ee7416 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -3,7 +3,6 @@ ## [Windows Hello for Business](hello-identity-verification.md) ### [How Windows Hello for Business works](hello-how-it-works.md) ### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) ### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) ### [Windows Hello and password changes](hello-and-password-changes.md) @@ -42,6 +41,9 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) +## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md) +### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md) +### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) @@ -783,6 +785,7 @@ ##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) ##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) ##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) #### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) ##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) @@ -790,7 +793,7 @@ ###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) #### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) ##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) -##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) +##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md) ##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) ##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md rename to windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md index e242add755..d551629b2e 100644 --- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -71,3 +71,10 @@ Portal label | SIEM field name | Description ![Image of machine timeline with numbers](images/atp-remediated-alert.png) ![Image of file details](images/atp-file-details.png) + + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index ef564941db..6cd59dffcb 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | +|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New | +|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New | ## February 2017 diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1 new file mode 100644 index 0000000000..e6563c2378 --- /dev/null +++ b/windows/keep-secure/code/example-script.ps1 @@ -0,0 +1,60 @@ +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' + + +Try +{ + $tokenPayload = @{ + "resource" = 'https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + + "Fetching an access token" + $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload + $token = $response.access_token + "Token fetched successfully" + + $headers = @{ + "Content-Type" = "application/json" + "Accept" = "application/json" + "Authorization" = "Bearer {0}" -f $token } + + $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + + $alertDefinitionPayload = @{ + "Name" = "Test Alert" + "Severity" = "Medium" + "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature" + "Title" = "Test alert." + "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled." + "RecommendedAction" = "No recommended action for this test alert." + "Category" = "SuspiciousNetworkTraffic" + "Enabled" = "true"} + "Creating an Alert Definition" + $alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + "Alert Definition created successfully" + $alertDefinitionId = $alertDefinition.Id + + $iocPayload = @{ + "Type"="IpAddress" + "Value"="52.184.197.12" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + "Creating an Indicator of Compromise" + $ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) + "Indicator of Compromise created successfully" + + "All done!" +} +Catch +{ + 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message +} diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1 index 278824d13a..6941c80627 100644 --- a/windows/keep-secure/code/example.ps1 +++ b/windows/keep-secure/code/example.ps1 @@ -1,8 +1,6 @@ -$tenantId = '{Your Tenant ID}' -$clientId = '{Your Client ID}' -$clientSecret = '{Your Client Secret}' - -$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' $tokenPayload = @{ "resource"='https://graph.windows.net' diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py index 7bf906738c..6203b5230b 100644 --- a/windows/keep-secure/code/example.py +++ b/windows/keep-secure/code/example.py @@ -2,11 +2,9 @@ import json import requests from pprint import pprint -tenant_id="{your tenant ID}" -client_id="{your client ID}" -client_secret="{your client secret}" - -auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id) +auth_url="Your Authorization URL" +client_id="Your Client ID" +client_secret="Your Client Secret" payload = {"resource": "https://graph.windows.net", "client_id": client_id, diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index fba8ebda15..21b8b172ec 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -68,8 +68,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - >[!NOTE] - >You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + NOTE: + You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. 5. Select Type: **ArcSight FlexConnector REST** and click **Next**. @@ -174,10 +175,11 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a A browser window appears. Allow it to run, it should disappear, and the connector should now be running. - > [!NOTE] - > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. +> [!NOTE] +> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md index 2ad2430c0e..c4a85d0274 100644 --- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -64,5 +64,5 @@ This section lists various issues that you may encounter when using email notifi ## Related topics - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index 18fa8ef5d5..f40c7d579d 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -42,14 +42,16 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. 2. Click **Search & Reporting**, then **Settings** > **Data inputs**. 3. Click **REST** under **Local inputs**. -> [!NOTE] -> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). + + NOTE: + This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). 4. Click **New**. 5. Type the following values in the required fields, then click **Save**: -> [!NOTE] ->All other values in the form are optional and can be left blank. + + NOTE: + All other values in the form are optional and can be left blank. @@ -132,6 +134,7 @@ Use the solution explorer to view alerts in Splunk. ## Related topics -- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index c2c75d2d52..4aba77f8b3 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -55,14 +55,14 @@ This tile shows you a list of machines with the highest number of active alerts. Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). ## Users at risk The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). ![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png) -Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection] +Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). ## Machines with active malware detections The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender. @@ -97,7 +97,7 @@ There are two status indicators that provide information on the number of machin - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. - **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected. -When you click any of the groups, you’ll be directed to machines view, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues. diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md index 47189ede43..e717a28f79 100644 --- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -27,13 +27,15 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee 1. In the navigation pane, select **Preference Setup** > **Threat intel API**. + ![Image of threat intel API menu](images/atp-threat-intel-api.png) + 2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values. 3. Copy the individual values or select **Save details to file** to download a file that contains all the values. - >[!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place. - >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + WARNING:
      + The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
      + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). 4. Select **Generate tokens** to get an access and refresh token. diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md index 5746ab6157..a645f8ccad 100644 --- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -29,16 +29,18 @@ Enable security information and event management (SIEM) integration so you can p 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - >[!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place. - >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + WARNING:
      + The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
      + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). 3. Choose the SIEM type you use in your organization. - >[!NOTE] - >If you select HP ArcSight, you'll need to save these two configuration files: - > - WDATP-connector.jsonparser.properties - > - WDATP-connector.properties - > If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**. + + NOTE:
      + If you select HP ArcSight, you'll need to save these two configuration files:
      + - WDATP-connector.jsonparser.properties + - WDATP-connector.properties
      + + If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**. 4. Copy the individual values or select **Save details to file** to download a file that contains all the values. @@ -47,5 +49,7 @@ Enable security information and event management (SIEM) integration so you can p You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. ## Related topics -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index 2c68fb6704..e69c2a864d 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ localizationpriority: high You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints. -For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. +For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. > [!NOTE] > It can take several days for endpoints to begin reporting to the Windows Defender ATP service. diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e840000672 --- /dev/null +++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,85 @@ +--- +title: Experiment with custom threat intelligence alerts +description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. +keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Experiment with custom threat intelligence (TI) alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. + +For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md). + +This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. + +You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like. + +## Step 1: Enable the threat intelligence API and obtain authentication details +To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). + +This step is required to generate security credentials that you need to use while working with the API. + +## Step 2: Create a sample alert definition and IOCs +This step will guide you in creating an alert definition and an IOC for a malicious IP. + +1. Open a Windows PowerShell ISE. + +2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert. + + NOTE:
      + Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application. + + [!code[ExampleScript](./code/example-script.ps1#L1-L60)] + +3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines. + + ![Image of the script running](images/atp-running-script.png) + + NOTE:
      + If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script: + + ```syntax + $webclient=New-Object System.Net.WebClient + $creds=Get-Credential + $webclient.Proxy.Credentials=$creds + ``` + +## Step 3: Simulate a custom TI alert +This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert. + +1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP. + +2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition. + + ![Image of editor with command to Invoke-WebRequest](images/atp-simulate-custom-ti.png) + +## Step 4: Explore the custom alert in the portal +This step will guide you in exploring the custom alert in the portal. + +1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser. + +2. Log in with your Windows Defender ATP credentials. + +3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack. + + ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) + +> [!NOTE] +> It can take up to 15 minutes for the alert to appear in the portal. diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 01eaa034f6..225527fdbc 100644 --- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ If the machine has not been in use for more than 7 days for any reason, it will A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. **Machine was offboarded**
      -If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive. +If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md index b8021ab337..d53c76fc27 100644 --- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md @@ -23,14 +23,16 @@ localizationpriority: high During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. 1. In the navigation pane, select **Preferences setup** > **General**. + 2. Modify settings such as data retention policy or the industry that best describes your organization. - >[!NOTE] - >Other settings are not editable. + > [!NOTE] + > Other settings are not editable. + 3. Click **Save preferences**. ## Related topics -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md index dc6bb1e021..336c82005d 100644 --- a/windows/keep-secure/hello-and-password-changes.md +++ b/windows/keep-secure/hello-and-password-changes.md @@ -41,7 +41,6 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md index caf9da8a9b..c57043af82 100644 --- a/windows/keep-secure/hello-biometrics-in-enterprise.md +++ b/windows/keep-secure/hello-biometrics-in-enterprise.md @@ -79,7 +79,6 @@ To allow facial recognition, you must have devices with integrated special infra - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md deleted file mode 100644 index b325dd3b58..0000000000 --- a/windows/keep-secure/hello-enable-phone-signin.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app. - -![Sign in to a device](images/phone-signin-menu.png) - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. - - ## Prerequisites - - - Both phone and PC must be running Windows 10, version 1607. - - The PC must be running Windows 10 Pro, Enterprise, or Education - - Both phone and PC must have Bluetooth. - - The **Microsoft Authenticator** app must be installed on the phone. - - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. - - The phone must be joined to Azure AD or have a work account added. - - The VPN configuration profile must use certificate-based authentication. - -## Set policies - -To enable phone sign-in, you must enable the following policies using Group Policy or MDM. - -- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** - - Enable **Use Windows Hello for Business** - - Enable **Phone Sign-in** -- MDM: - - Set **UsePassportForWork** to **True** - - Set **Remote\UseRemotePassport** to **True** - -## Configure VPN - -To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows: - -- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate. -- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate. - -## Get the app - -If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md). - -[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote) - - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - - -  - -  - - - - - diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index 98dce6bbda..b9f0619b20 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -225,7 +225,6 @@ For errors listed in this table, contact Microsoft Support for assistance. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md index a59c57e6be..1eecd8dd53 100644 --- a/windows/keep-secure/hello-event-300.md +++ b/windows/keep-secure/hello-event-300.md @@ -37,7 +37,6 @@ This is a normal condition. No further action is required. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md index af480096c6..379783c65a 100644 --- a/windows/keep-secure/hello-how-it-works.md +++ b/windows/keep-secure/hello-how-it-works.md @@ -112,7 +112,6 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index c13f490b56..063ed2cfe2 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -72,10 +72,6 @@ Imagine that someone is looking over your shoulder as you get money from an ATM Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. -For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. - -> [!NOTE] ->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.   ## How Windows Hello for Business works: key points @@ -119,7 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md index beca5f89e3..44cef02636 100644 --- a/windows/keep-secure/hello-manage-in-organization.md +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -131,16 +131,12 @@ The following table lists the Group Policy settings that you can configure for W - +
      Phone Sign-in>Phone Sign-in

      Use Phone Sign-in

      -
      Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
      -
       
      		 -

      Not configured: Phone sign-in is disabled.

      -

      Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

      -

      Disabled: Phone sign-in is disabled.

      +

      Not currently supported.
      @@ -283,14 +279,11 @@ The following table lists the MDM policy settings that you can configure for Win Remote

      UseRemotePassport

      -
      Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
      -
       
      Device or user False -

      True: Phone sign-in is enabled.

      -

      False: Phone sign-in is disabled.

      +

      Not currently supported.

      @@ -381,7 +374,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md index 41c323ada1..8426ced11d 100644 --- a/windows/keep-secure/hello-prepare-people-to-use.md +++ b/windows/keep-secure/hello-prepare-people-to-use.md @@ -51,56 +51,13 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) -## Use a phone to sign in to a PC or VPN -If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -  -**Prerequisites:** - -- Both phone and PC must be running Windows 10, version 1607. -- The PC must be running Windows 10 Pro, Enterprise, or Education -- Both phone and PC must have Bluetooth. -- The **Microsoft Authenticator** app must be installed on the phone. -- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. -- The phone must be joined to Azure AD or have a work account added. -- The VPN configuration profile must use certificate-based authentication. - -**Pair the PC and phone** - -1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. - - ![bluetooth pairing](images/btpair.png) - -2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**. - - ![bluetooth pairing passcode](images/bt-passcode.png) - -3. On the PC, tap **Yes**. - -**Sign in to PC using the phone** - - -1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. - - ![select a device](images/phone-signin-device-select.png) -   -2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. - -**Connect to VPN** - -You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. ## Related topics - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md index e79b6e5348..9c24738397 100644 --- a/windows/keep-secure/hello-why-pin-is-better-than-password.md +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -75,7 +75,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png index e733606c0c..219e958d7d 100644 Binary files a/windows/keep-secure/images/atp-machines-at-risk.png and b/windows/keep-secure/images/atp-machines-at-risk.png differ diff --git a/windows/keep-secure/images/atp-running-script.png b/windows/keep-secure/images/atp-running-script.png new file mode 100644 index 0000000000..ebfdebadc5 Binary files /dev/null and b/windows/keep-secure/images/atp-running-script.png differ diff --git a/windows/keep-secure/images/atp-sample-custom-ti-alert.png b/windows/keep-secure/images/atp-sample-custom-ti-alert.png new file mode 100644 index 0000000000..e536f6f4cc Binary files /dev/null and b/windows/keep-secure/images/atp-sample-custom-ti-alert.png differ diff --git a/windows/keep-secure/images/atp-simulate-custom-ti.png b/windows/keep-secure/images/atp-simulate-custom-ti.png new file mode 100644 index 0000000000..2828654c79 Binary files /dev/null and b/windows/keep-secure/images/atp-simulate-custom-ti.png differ diff --git a/windows/keep-secure/images/atp-threat-intel-api.png b/windows/keep-secure/images/atp-threat-intel-api.png new file mode 100644 index 0000000000..ef6720b29e Binary files /dev/null and b/windows/keep-secure/images/atp-threat-intel-api.png differ diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png index dea7d1dc70..a48783c6e3 100644 Binary files a/windows/keep-secure/images/rules-legend.png and b/windows/keep-secure/images/rules-legend.png differ diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/keep-secure/images/windows-defender-security-center.png new file mode 100644 index 0000000000..a3286fb528 Binary files /dev/null and b/windows/keep-secure/images/windows-defender-security-center.png differ diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/keep-secure/images/windows-defender-smartscreen-control.png new file mode 100644 index 0000000000..b2700addba Binary files /dev/null and b/windows/keep-secure/images/windows-defender-smartscreen-control.png differ diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md index 76dd0c900d..73f0e86007 100644 --- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: View and organize the Windows Defender ATP machines view -description: Learn about the available features that you can use from the Machines view such as sorting, filtering, and exporting the machine list which can enhance investigations. +title: View and organize the Windows Defender ATP machines list +description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations. keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# View and organize the Windows Defender ATP Machines view +# View and organize the Windows Defender ATP Machines list **Applies to:** @@ -21,23 +21,23 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. +The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. Use the Machines view in these main scenarios: - **During onboarding**
      - During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. + During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. - **Day-to-day work** - The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. + The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. ## Sort, filter, and download the list of machines from the Machines view -You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order. +You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order. -Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria. +Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria. You can also download the entire list in CSV format using the **Export to CSV** feature. -![Image of machines view with list of machines](images/atp-machines-view-list.png) +![Image of machines list with list of machines](images/atp-machines-view-list.png) You can use the following filters to limit the list of machines displayed during an investigation: @@ -71,7 +71,7 @@ You can download a full list of all the machines in your organization, in CSV f Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. ## Sort the Machines view -You can sort the **Machines view** by the following columns: +You can sort the **Machines list** by the following columns: - **Machine name** - Name or GUID of the machine - **Last seen** - Date and time when the machine last reported sensor data diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md index 0b8d3f4996..2e7af88cf4 100644 --- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -1,4 +1,15 @@ -# Mitigate threats by using Windows 10 security features +--- +title: Mitigate threats by using Windows 10 security features (Windows 10) +description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: justinha +--- + +# Mitigate threats by using Windows 10 security features **Applies to:** - Windows 10 @@ -44,7 +55,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta |---|---| | **Windows Defender SmartScreen**,
      which helps prevent
      malicious applications
      from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

      **More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | | **Credential Guard**,
      which helps keep attackers
      from gaining access through
      Pass-the-Hash or
      Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
      Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

      **More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) | -| **Enterprise certificate pinning**,
      which helps keep users
      from being deceived by
      man-in-the-middle attacks
      that leverage PKI | With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf. This helps protect your enterprise’s intranet sites (not external Internet sites) by providing validation for digitally signed certificates (SSL certificates) used while browsing. This feature mitigates man-in the-middle attacks that involve these certificates.

      **More information**: ENTERPRISE_CERTIFICATE_PINNING_LINK | +| **Enterprise certificate pinning**,
      which helps keep users
      from being deceived by
      man-in-the-middle attacks
      that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf.

      **More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) | | **Device Guard**,
      which helps keep a device
      from running malware or
      other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.
      Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

      **More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | | **Windows Defender Antivirus**,
      which helps keep devices
      free of viruses and other
      known software threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

      **More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | | **Blocking of untrusted fonts**,
      which helps prevent fonts
      from being used in
      elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

      **More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | @@ -73,9 +84,7 @@ Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped pro For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. - - -For more information, see Windows Defender SmartScreen overview. +For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md). ### Windows Defender Antivirus @@ -202,7 +211,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti ### Universal Windows apps protections -When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s highly unlikely that they will encounter malware, because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. @@ -366,7 +375,7 @@ The Converter feature is currently available as a Windows PowerShell cmdlet, **S - **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. -- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in the Enterprise_certificate_pinning_documentation. +- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). #### EMET-related products diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index ac785c854a..c6d0f9dd37 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks +keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md index 5574319409..c30415b0fd 100644 --- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ These code examples demonstrate the following tasks: ## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: [!code[CustomTIAPI](./code/example.ps1#L1-L14)] diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md index 5d51de963a..1523930b5c 100644 --- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md @@ -27,6 +27,6 @@ Use the **Preferences setup** menu to modify general settings, advanced features Topic | Description :---|:--- [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process. -[Enable advanced features](advanced-features-windows-defender-advacned-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. +[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. [Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md index 9304e0ab7e..f1e4b41964 100644 --- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md @@ -27,5 +27,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Related topics - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index af7b7f12d0..670143cd10 100644 --- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -187,3 +187,9 @@ HTTP error code | Description 401 | Malformed request or invalid token. 403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted. 500 | Error in the service. + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index 6e63d9f1b5..d162c44a38 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -37,7 +37,7 @@ These code examples demonstrate the following tasks: ## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: [!code[CustomTIAPI](./code/example.py#L1-L17)] diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index 0d15caf8a1..26459e371e 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -130,7 +130,7 @@ For prevalent files in the organization, a warning is shown before an action is 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: – **Alerts** - Click the file links from the Description or Details in the Alert timeline - – **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section + – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section – **Search box** - Select File from the drop–down menu and enter the file name 2. Open the **Actions** menu and select **Remove file from blocked list**. @@ -175,7 +175,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: – Alerts - click the file links from the **Description** or **Details** in the Alert timeline - – **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section + – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section – Search box - select **File** from the drop–down menu and enter the file name 2. In the **Deep analysis** section of the file view, click **Submit**. diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 7262eeac48..3918964ff2 100644 --- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ This machine isolation feature disconnects the compromised machine from the netw - **Dashboard** - Select the machine name from the Top machines with active alerts section. - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines view** - Select the machine name from the list of machines. + - **Machines list** - Select the machine name from the list of machines. - **Search box** - Select Machine from the drop-down menu and enter the machine name. 2. Open the **Actions** menu and select **Isolate machine**. @@ -102,7 +102,7 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag - **Dashboard** - Select the machine name from the Top machines with active alerts section. - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines view** - Select the heading of the machine name from the machines view. + - **Machines list** - Select the heading of the machine name from the machines list. - **Search box** - Select Machine from the drop-down menu and enter the machine name. 2. Open the **Actions** menu and select **Collect investigation package**. diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e95197be01..3a2b9f8868 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ Deployment with the above-mentioned versions of System Center Configuration Mana If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. +If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. ## Troubleshoot onboarding when deploying with a script on the endpoint @@ -119,7 +119,7 @@ ID | Severity | Event description | Troubleshooting steps 1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). ## Troubleshoot onboarding issues on the endpoint -If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: - [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) - [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index 23bb45e5bf..e614c969ca 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ Topic | Description [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. -[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. +[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks. diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md new file mode 100644 index 0000000000..936751e349 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md @@ -0,0 +1,215 @@ +--- +title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +## Group Policy settings +SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      SettingSupported onDescription
      Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

      Windows 10, Version 1607 and earlier:
      Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

      		At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Windows Defender SmartScreen.

      If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

      If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

      If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

      Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.

      If you enable this setting, your employees can only install apps from the Windows Store.

      If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

      If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.

      Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

      Windows 10, Version 1607 and earlier:
      Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

      		Microsoft Edge on Windows 10 or laterThis policy setting turns on Windows Defender SmartScreen.

      If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.

      If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

      If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

      Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

      Windows 10, Version 1511 and 1607:
      Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

      		Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.

      If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

      If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.

      Windows 10, version 1703:
      Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

      Windows 10, Version 1511 and 1607:
      Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

      		Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.

      If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

      If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.

      Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen FilterInternet Explorer 9 or laterThis policy setting prevents the employee from managing SmartScreen Filter.

      If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

      If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

      Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warningsInternet Explorer 8 or laterThis policy setting determines whether an employee can bypass warnings from SmartScreen Filter.

      If you enable this policy setting, SmartScreen Filter warnings block the employee.

      If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

      Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetInternet Explorer 9 or laterThis policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

      If you enable this policy setting, SmartScreen Filter warnings block the employee.

      If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

      + +## MDM settings +If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      SettingSupported versionsDetails
      AllowSmartScreenWindows 10 +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Turns off Windows Defender SmartScreen.
          • +
        • 1. Turns on Windows Defender SmartScreen.
      +
      EnableAppInstallControlWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
          • +
        • 1. Turns on Application Installation Control, allowing users to install apps from the Windows Store only.
      +
      EnableSmartScreenInShellWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Turns off SmartScreen in Windows.
          • +
        • 1. Turns on SmartScreen in Windows.
      +
      PreventOverrideForFilesInShellWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Employees can ignore SmartScreen warnings and run malicious files.
          • +
        • 1. Employees can't ignore SmartScreen warnings and run malicious files.
      +
      PreventSmartScreenPromptOverrideWindows 10, Version 1511 and later +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Employees can ignore SmartScreen warnings.
          • +
        • 1. Employees can't ignore SmartScreen warnings.
      +
      PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511 and later +
        +
      • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
        • +
      • Data type. Integer
        • +
      • Allowed values:
          +
        • 0 . Employees can ignore SmartScreen warnings for files.
          • +
        • 1. Employees can't ignore SmartScreen warnings for files.
      +
      + +## Recommended Group Policy and MDM settings for your organization +By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning. + +To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings. + + + + + + + + + + + + + + + + + + + + + +
      Group Policy settingRecommendation
      Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Windows Defender SmartScreen.
      Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
      Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
      Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
      +

      + + + + + + + + + + + + + + + + + + + + + + + + + +
      MDM settingRecommendation
      Browser/AllowSmartScreen1. Turns on Windows Defender SmartScreen.
      Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
      Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
      SmartScreen/EnableSmartScreenInShell1. Turns on Windows Defender SmartScreen in Windows.

      Requires at least Windows 10, version 1703.

      SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

      Requires at least Windows 10, version 1703.

      + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md new file mode 100644 index 0000000000..4df34ae566 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-overview.md @@ -0,0 +1,66 @@ +--- +title: Windows Defender SmartScreen overview (Windows 10) +description: Conceptual info about Windows Defender SmartScreen. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Windows Defender SmartScreen +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +>[!NOTE] +>SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile. + +**SmartScreen determines whether a site is potentially malicious by:** + +- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. + +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. + + >[!NOTE] + >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + +## Benefits of Windows Defender SmartScreen +Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) + +- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. + +- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. + +- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. + +- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). + +## Viewing Windows Defender SmartScreen anti-phishing events +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx). + +## Related topics +- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10) + +- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx) + +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md new file mode 100644 index 0000000000..482d88a367 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md @@ -0,0 +1,80 @@ +--- +title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) +description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Set up and use Windows Defender SmartScreen on individual devices + +**Applies to:** +- Windows 10, version 1703 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. + +>[!NOTE] +>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. + +**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** +1. Open the Windows Defender Security Center app, and then click **App & browser control**. + + ![Windows Defender Security Center](images/windows-defender-security-center.png) + +2. In the **App & browser control** screen, choose from the following options: + + - In the **Check apps and files** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. + + - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen for Microsoft Edge** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. + + - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen from Windows Store apps** area: + + - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + + ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png) + +## How SmartScreen works when an employee tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. + +By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). + +## How employees can report websites as safe or unsafe +You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. + +**To report a website as safe from the warning message** +- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. + +**To report a website as unsafe from Microsoft Edge** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. + +**To report a website as unsafe from Internet Explorer 11** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 530731086d..148d75201f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -39,8 +39,9 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Application Virtualization (App-V) for Windows](appv-for-windows.md) ### [Getting Started with App-V](appv-getting-started.md) -#### [What's new in App-V](appv-about-appv.md) -##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md) +#### [What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md) +##### [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md) +##### [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md) #### [Evaluating App-V](appv-evaluating-appv.md) #### [High Level Architecture for App-V](appv-high-level-architecture.md) ### [Planning for App-V](appv-planning-for-appv.md) @@ -77,7 +78,10 @@ #### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) ### [Operations for App-V](appv-operations.md) #### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) -##### [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) +##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) +##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) ##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md) ##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md) ##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md) @@ -108,6 +112,7 @@ ##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md) ##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md) #### [Using the App-V Client Management Console](appv-using-the-client-management-console.md) +##### [Automatically clean-up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) #### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) ##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md) #### [Maintaining App-V](appv-maintaining-appv.md) @@ -126,6 +131,7 @@ ##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md) ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) +#### [Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) diff --git a/windows/manage/appv-about-appv.md b/windows/manage/appv-about-appv.md index ef43aeed3d..9fc61c9b7d 100644 --- a/windows/manage/appv-about-appv.md +++ b/windows/manage/appv-about-appv.md @@ -1,26 +1,43 @@ --- -title: What's new in App-V for Windows 10 (Windows 10) -description: Information about what's new in App-V for Windows 10. -author: MaggiePucciEvans +title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) +description: Information about what's new in App-V for Windows 10, version 1703 and earlier. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - -# What's new in App-V +# What's new in App-V for Windows 10, version 1703 and earlier **Applies to** -- Windows 10, version 1607 +- Windows 10, version 1703 and earlier -Microsoft Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. +Microsoft Application Virtualization (App-V) helps organizations to deliver Win32 applications to employees as virtual apps. Virtual apps are installed on centrally managed servers and delivered to employees as a service – in real time and on an as-needed basis. Employees start virtual apps from familiar access points and interact with them as if they were installed locally. -Application Virtualization (App-V) for Windows 10, version 1607, includes these new features and capabilities compared to App-V 5.1. See [App-V release notes](appv-release-notes-for-appv-for-windows.md) for more information about the App-V for Windows 10, version 1607 release. +## What's new in App-V Windows 10, version 1703 +The following are new features in App-V for Windows 10, version 1703. +### Auto sequence and update your App-V packages singly or as a batch +Previous versions of the App-V Sequencer have required you to manually sequence and update your app packages. This was time-consuming and required extensive interaction, causing many companies to deploy brand-new packages rather than update an existing one. Windows 10, version 1703 introduces the App-V Auto-Sequencer, which automatically sequences your app packages, improving your overall experience by streamlining the provisioning of the prerequisite environment, automating app installation, and expediting the package updating setup. + +Using the automatic sequencer to package your apps provides: +- Automatic virtual machine (VM) provisioning of the sequencing environment. For info about this, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md). + +- Batch-sequencing of packages. This means that multiple apps can be sequenced at the same time, in a single group. For info about this, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). + +- Batch-updating of packages. This means that multiple apps can be updated at the same time, in a single group. For info about this, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). + +### Updates to the App-V project template +Starting with Windows 10, version 1703, you can save an App-V project template (.appvt) file as part of a sequenced App-V package, so it's automatically loaded every time the package opens for editing or updates. Your template can include general option settings, file exclusion list settings, and target operating system settings. For more info about this, see [Create and apply an App-V project template to a sequenced App-V package](appv-create-and-use-a-project-template.md) + +### Automatically cleanup unpublished App-V packages from the App-V client +Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. For more info about this, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + +## What's new in App-V in Windows 10, version 1607 +The following are new features in App-V for Windows 10, version 1607. ## App-V is now a feature in Windows 10 - With Windows 10, version 1607 and later releases, Application Virtualization (App-V) is included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack. For information about earlier versions of App-V, see [MDOP Information Experience](https://technet.microsoft.com/itpro/mdop/index). @@ -29,26 +46,25 @@ The changes in App-V for Windows 10, version 1607 impact already existing implem - The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client. -- The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. +- The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. ->**Note**
      If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. + >[!NOTE] + >If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](appv-migrating-to-appv-from-a-previous-version.md). ->**Important** -You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607. - +>[!IMPORTANT] +>You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607.   ## Support for System Center - App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager. +## Related topics +- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md) + +- [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md) ## Have a suggestion for App-V? - Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). -## Related topics - -[Release Notes for App-V](appv-release-notes-for-appv-for-windows.md) diff --git a/windows/manage/appv-auto-batch-sequencing.md b/windows/manage/appv-auto-batch-sequencing.md new file mode 100644 index 0000000000..2722febd18 --- /dev/null +++ b/windows/manage/appv-auto-batch-sequencing.md @@ -0,0 +1,173 @@ +--- +title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. + +In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: + +- Using the New-BatchAppVSequencerPackages cmdlet + +- Using the App-V Sequencer interface + +- Using the new-AppVSequencerPackage cmdlet + +>[!NOTE] +>If you're trying to update multiple apps at the same time, see the [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) topic. + +### Sequence multiple apps by using a PowerShell cmdlet +Sequencing multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of sequencing. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. + +**To create your ConfigFile for use by the PowerShell cmdlet** + +1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. + +2. Add the following required XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<InstallerOptions>.** The command-line options required for the app installation. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows + D:\Install\New\SkypeforWindows + SkypeSetup.exe + /S + 20 + True + True + + + Power BI + D:\Install\New\MicrosoftPowerBI + PBIDesktop.msi + /S + 20 + True + True + + + + ``` +3. Save your completed file, using the name **ConfigFile**. + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Sequence multiple apps by using the App-V Sequencer interface +Sequencing multipe apps at the same time requires that you create a **ConfigFIle** to collect all of the info related to each round of sequencing. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. + +**To create your ConfigFile for use by the App-V Sequencer interface** + +1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. + +2. Add the following required XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows + D:\Install\New\SkypeforWindows + SkypeSetup.exe + 20 + False + True + + + Power BI + D:\Install\New\MicrosoftPowerBI + PBIDesktop.msi + 20 + False + True + + + + ``` + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Review the log files +There are 3 types of log files that occur when you sequence multiple apps at the same time: + +- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities, such as "Copying installer to VM", "Scheduling sequencing task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. + +- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. + +- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) + +- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) + +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + +**Have a suggestion for App-V?**

      +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-batch-updating.md b/windows/manage/appv-auto-batch-updating.md new file mode 100644 index 0000000000..3c9a7531bc --- /dev/null +++ b/windows/manage/appv-auto-batch-updating.md @@ -0,0 +1,177 @@ +--- +title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Updating multiple apps at the same time follows the same process as [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However for updating, you'll pass your previously created app package files to the App-V Sequencer cmdlet for updating. + +Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. + +>[!NOTE] +>If you're trying to sequence multiple apps at the same time, see the [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) topic. + +### Update multiple apps by using a PowerShell cmdlet +Updating multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of updating. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. + +**To create your ConfigFile for use by the PowerShell cmdlet** + +1. Determine the apps that need to be included in your app package, and then open a text editor, such as Notepad. + +2. Add the following XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<InstallerOptions>.** The command-line options required for the app installation. + + - **<Package>.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + ```XML + + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + True + True + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + True + True + + + + ``` + +3. Save your completed file, using the name **ConfigFile**. + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Update multiple apps by using the App-V Sequencer interface +Updating multipe apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. + +**To create your ConfigFile for use by the App-V Sequencer interface** + +1. Determine the apps that need to be updated and then open a text editor, such as Notepad. + +2. Add the following XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<Package>.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + False + True + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + False + True + + + + ``` + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Review the log files +There are 3 types of log files that occur when you sequence multiple apps at the same time: + +- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the updating activities, such as "Copying installer to VM", "Scheduling updating task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. + +- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. + +- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) + +- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) + +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + + +**Have a suggestion for App-V?**

      +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-clean-unpublished-packages.md b/windows/manage/appv-auto-clean-unpublished-packages.md new file mode 100644 index 0000000000..234222854e --- /dev/null +++ b/windows/manage/appv-auto-clean-unpublished-packages.md @@ -0,0 +1,76 @@ +--- +title: Automatically cleanup unpublished packages on the App-V client (Windows 10) +description: How to automatically clean-up any unpublished packages on your App-V client devices. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Automatically cleanup unpublished packages on the App-V client + +**Applies to** +- Windows 10, version 1703 + +Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +## Cleanup by using PowerShell commands +Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. + +**To turn on the AutoCleanupEnabled option** + +1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality: + + ```ps1 + Set-AppvClientConfiguration -AutoCleanupEnabled 1 + ``` + + The command runs and you should see the following info on the PowerShell screen: + + + + + + + + + + + + + + + + +
      NameValueSetbyGroupPolicy
      AutoCleanupEnabled1False
      + +2. Run the following command to make sure the configuration is ready to automatically cleanup your packages. + + ```ps1 + Get-AppvClientConfiguration + ``` + You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list. + +## Cleanup by using Group Policy settings +Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. + +**To turn on the Enable automatic cleanup of unused appv packages setting** + +1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting. + +2. Click **Enabled**, and then click **OK**. + + After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186) + +- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) + + +**Have a suggestion for App-V?**

      +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-provision-a-vm.md b/windows/manage/appv-auto-provision-a-vm.md new file mode 100644 index 0000000000..b4b1819a25 --- /dev/null +++ b/windows/manage/appv-auto-provision-a-vm.md @@ -0,0 +1,127 @@ +--- +title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. + +## Automatic VM provisioning of the sequencing environment +You have 2 options for provisioning an VM for auto-sequencing: +- Using a Virtual Hard Disk (VHD) + + -OR- + +- Updating an existing VM + + >[!NOTE] + >We have reduced the number of environmental checks performed by the App-V Sequencer, narrowing down the list of apps that need to be disabled or turned off for a clean sequencing experience. We've also suppressed antivirus and other similar app warnings. + +### Provision a new VM by using a VHD file +Provisioning your new VM includes creating a VHD file, setting up a user account, turning on remote PowerShell scripting, and installing the App-V Sequencer. + +#### Create a VHD file +For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) command-line tool. + +**To create a VHD file by using the Convert-WindowsImage command-line tool** +1. Open PowerShell as an admin and run the Convert-WindowsImage tool, using the following commands: + + ```ps1 + Convert-WindowsImage -SourcePath "" -VHDFormat "VHD" -VHDPartitionStyle "MBR" + ``` + Where *<path_to_iso_image>* is the full path to your ISO image. + + >[!IMPORTANT] + >You must specify the _VHDPartitionStyle_ as **MBR**. Using the default value, **GPT**, will cause a boot failure in your VHD image. + +#### Provision your VM using your VHD file +After you have a VHD file, you must provision your VM for auto-sequencing. + +**To provision your VM using your VHD file** +1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). + +2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server). + +3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: + + ```ps1 + New-AppVSequencerVM -VMName "" -ADKPath "" -VHDPath "" -VMMemory -VMSwitch "" + ``` + +This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start. + + +### Provision an existing VM for auto-sequencing +If your apps require custom prerequisites, such as Microsoft SQL Server, we recommend that you preinstall the prerequisites on your VM and then use that VM for auto-sequencing. Using these steps will establish a connection to your existing VM. + +**To connect to your existing VM** +- Open PowerShell as an admin and run the following commands on your existing VM: + + - **Set the network category of your connection profile on the VM to _Private_:** + + ```ps1 + Get-netconnectionprofile | set-netconnectionprofile -NetworkCategory Private + ``` + + - **Enable firewall rules for _Remote Desktop_ and _Windows Remote Management_:** + + ```ps1 + Enable-NetFirewallRule -DisplayGroup “Remote Desktop” + Enable-NetFirewallRule -DisplayGroup “Windows Remote Management” + ``` + + - **Set the VM to receive remote commands without a confirmation prompt:** + + ```ps1 + Enable-PSRemoting –Force + ``` + +**To provision an existing VM** +1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). + +2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: + + ```ps1 + Connect-AppvSequencerVM -VMName "" -ADKPath "" + ``` + + Where *<name_of_vm>* is the name of the VM granted during its creation and shown in the Hyper-V Manager tool. + +This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start. + + +### Review the provisioning log files +The 2 types of provisioning log files, located at %temp%\AutoSequencer\Logs, are: + +- **New-AppVSequencerVM-<*time_stamp*>.txt**. Includes info about the provisioning activities, such as "Waiting for VM session", "Copying installer for Sequencer", and so on. + +- **Connect-AppvSequencerVM-report-<*time_stamp*>.txt**. Includes info about the connections made to the VM, showing whether there were any failures. + + +### Next steps +After provisioning your sequencing environment, you must sequence your apps, either as a group or individually. For more info about sequencing your apps, see [Manually sequence a single new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md), and [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). + +After you sequence your packages, you can automatically cleanup any unpublished packages on the App-V client. For more info, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md). + +### Related topics +- [Download the Convert-WindowsImage tool](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) + +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + + +**Have a suggestion for App-V?**

      +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-available-mdm-settings.md b/windows/manage/appv-available-mdm-settings.md new file mode 100644 index 0000000000..dc5eb1a61a --- /dev/null +++ b/windows/manage/appv-available-mdm-settings.md @@ -0,0 +1,211 @@ +--- +title: Available Mobile Data Management (MDM) settings for App-V (Windows 10) +description: A list of the available MDM settings for App-V on Windows 10. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Available Mobile Data Management (MDM) settings for App-V +With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Data Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Policy nameSupported versionsDetails
      NameWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      VersionWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      PublisherWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      InstallLocationWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      InstallDateWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      UsersWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      AppVPackageIDWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      AppVVersionIDWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      AppVPackageUriWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V packages.
        • +
      +
      LastErrorWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError
        • +
      • Data type. String
        • +
      • Value. Read-only data, provided by your App-V client.
        • +
      +
      LastErrorDescriptionWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription
        • +
      • Data type. String
        • +
      • Values. +
          +
        • 0. No errors returned during publish.
          • +
        • 1. Unpublish groups failed during publish.
          • +
        • 2. Publish no-group packages failed during publish.
          • +
        • 3. Publish group packages failed during publish.
          • +
        • 4. Unpublish packages failed during publish.
          • +
        • 5. New policy write failed during publish.
          • +
        • 6. Multiple non-fatal errors occurred during publish.
          • +
        +
        • +
      +
      SyncStatusDescriptionWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription
        • +
      • Data type. String
        • +
      • Values. +
          +
        • 0. App-V publishing is idle.
          • +
        • 1. App-V connection groups publish in progress.
          • +
        • 2. App-V packages (non-connection group) publish in progress.
          • +
        • 3. App-V packages (connection group) publish in progress.
          • +
        • 4. App-V packages unpublish in progress.
          • +
        +
        • +
      +
      SyncProgressWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress
        • +
      • Data type. String
        • +
      • Values. +
          +
        • 0. App-V Sync is idle.
          • +
        • 1. App-V Sync is initializing.
          • +
        • 2. App-V Sync is in progress.
          • +
        • 3. App-V Sync is complete.
          • +
        • 4. App-V Sync requires device reboot.
          • +
        +
        • +
      +
      PublishXMLWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML
        • +
      • Data type. String
        • +
      • Value. Custom value, entered by admin.
        • +
      +
      PolicyWindows 10, version 1703 +
        +
      • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy
        • +
      • Data type. String
        • +
      • Value. Custom value, entered by admin.
        • +
      +
      \ No newline at end of file diff --git a/windows/manage/appv-create-and-use-a-project-template.md b/windows/manage/appv-create-and-use-a-project-template.md index c6a0be63bb..1496e43518 100644 --- a/windows/manage/appv-create-and-use-a-project-template.md +++ b/windows/manage/appv-create-and-use-a-project-template.md @@ -1,55 +1,64 @@ --- -title: How to Create and Use a Project Template (Windows 10) -description: How to Create and Use a Project Template -author: MaggiePucciEvans +title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) +description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - -# How to Create and Use a Project Template +# Create and apply an App-V project template to a sequenced App-V package **Applies to** - Windows 10, version 1607 -You can use an App-V project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. +You can use an App-V project template (.appvt) file to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. App-V project templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V project templates can be applied to multiple applications. For more info about Package Accelerators, see the [How to create a Package Accelerator](appv-create-a-package-accelerator.md) topic. -> **Note**  You can, and often should apply an App-V project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application. +>[!IMPORTANT] +>In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. -App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. -Use the following procedures to create and apply a new template. +## Create a project template +You must first create and save a project template, including a virtual app package with settings to be used by the template. **To create a project template** -1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. - > **Note**  If the virtual application package is currently open in the App-V Sequencer console, skip to step 3 of this procedure. + >[!NOTE] + >If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure. -2. To open the existing virtual application package that contains the settings you want to save with the App-V project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. +2. On the **File** menu, click **Open**, click **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V project template, and then click **Edit** to change any of the settings or info included in the file. -3. In the App-V Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V project template. Click Save. +3. On the **File** menu, click **Save As Template**, review the settings associated with the new template, click **OK**, name your new template, and then click **Save**. The new App-V project template is saved in the folder you specified. -**To apply a project template** +## Apply a project template +After creating the template, you can apply it to all of your new virtual app packages, automatically including all of the settings. -> **Important**  Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported. +>[!IMPORTANT] +>Virtual app packages don't support using both a project template and a Package Accelerator together. -1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. -2. To create or upgrade a new virtual application package by using an App-V project template, click **File** / **New From Template**. +2. On the **File** menu, click **New From Template**, browse to your newly created project template, and then click **Open**. -3. To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**. +3. Create your new virtual app package. The settings saved with your template are automatically applied. - Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating. +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -## Have a suggestion for App-V? +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) + +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) + +- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +**Have a suggestion for App-V?**

      Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related topics - -[Operations for App-V](appv-operations.md) diff --git a/windows/manage/appv-creating-and-managing-virtualized-applications.md b/windows/manage/appv-creating-and-managing-virtualized-applications.md index 861034a883..b6aeefb413 100644 --- a/windows/manage/appv-creating-and-managing-virtualized-applications.md +++ b/windows/manage/appv-creating-and-managing-virtualized-applications.md @@ -68,7 +68,9 @@ The **Options** dialog box in the sequencer console contains the following tabs: App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the Service will be included in the sequenced virtual package as long as it is installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then later, after installation, the application must be run while the sequencer is monitoring so that the Windows Service will be added to the package. Only Services that run under the Local System account are supported. Services that are configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call. -[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +- [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) ## App-V shell extension support @@ -166,11 +168,7 @@ You can use the sequencer to modify an existing package. The computer on which y [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md) ## Creating a project template - - -A .appvt file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. - -App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: +An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: A template can specify and store multiple settings as follows: @@ -180,10 +178,15 @@ A template can specify and store multiple settings as follows: - **Exclusion Items.** Contains the Exclusion pattern list. +In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. + +>[!IMPORTANT] +>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. + [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md) -## Creating a package accelerator +## Creating a package accelerator **Note**   Package accelerators created using a previous version of App-V must be recreated using App-V. diff --git a/windows/manage/appv-for-windows.md b/windows/manage/appv-for-windows.md index 3938202a14..ed4d234781 100644 --- a/windows/manage/appv-for-windows.md +++ b/windows/manage/appv-for-windows.md @@ -42,10 +42,14 @@ The topics in this section provide information and step-by-step procedures to he [Operations for App-V](appv-operations.md) - [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) - [Managing Connection Groups](appv-managing-connection-groups.md) - [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) - [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) - [Maintaining App-V](appv-maintaining-appv.md) - [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/manage/appv-modify-client-configuration-with-powershell.md b/windows/manage/appv-modify-client-configuration-with-powershell.md index ef256839b0..e3ca1981bf 100644 --- a/windows/manage/appv-modify-client-configuration-with-powershell.md +++ b/windows/manage/appv-modify-client-configuration-with-powershell.md @@ -16,15 +16,15 @@ ms.prod: w10 Use the following procedure to configure the App-V client configuration. -1. To configure the client settings using Windows PowerShell, use the **Set-AppvClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md). +1. To configure the client settings using Windows PowerShell, use the **Set-AppVClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md). -2. To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppvClientConfiguration** with any required parameters. For example: +2. To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppVClientConfiguration** with any required parameters. For example: - `$config = Get-AppvClientConfiguration` + `$config = Get-AppVClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppVClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppVClientConfiguration –Name1 MyConfig –Name2 “xyz”` ## Have a suggestion for App-V? diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md index b18a9df8d0..a08cd69548 100644 --- a/windows/manage/appv-planning-for-using-appv-with-office.md +++ b/windows/manage/appv-planning-for-using-appv-with-office.md @@ -28,20 +28,16 @@ Use the following information to plan how to deploy Office by using Microsoft Ap You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group. ->**Note**   -Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack. +>[!NOTE]  +>Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack. ## Supported versions of Microsoft Office - - - See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products. ->**Note**  You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer. - ->**Note** -Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744) +>[!NOTE] +>You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer. +>Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744) ## Planning for using App-V with coexisting versions of Office @@ -87,8 +83,8 @@ The Office documentation provides extensive guidance on coexistence for Windows The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience. ->**Note**   -Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service. +>[!NOTE]  +>Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.   diff --git a/windows/manage/appv-release-notes-for-appv-for-windows-1703.md b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md new file mode 100644 index 0000000000..9e787d612c --- /dev/null +++ b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md @@ -0,0 +1,121 @@ +--- +title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) +description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Release Notes for App-V for Windows 10, version 1703 + +**Applies to** +- Windows 10, version 1703 + +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703. + + + + + + + + + + + + + + + + + + + + + + + + +
      ProblemWorkaround
      Unable to manually create a system-owned folder needed for the set-AppVClientConfiguration PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.Don't create this file manually, instead let the Add-AppVClientPackage cmdlet auto-generate it.
      Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.Make sure you have the complete App-V package or the MSI file from the original app.
      Unable to modify the locale for auto-sequencing.Open the C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
      Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <appv:Extensions> tag: +
      
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>ftp</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>http</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>https</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+
      +
      + + +## Related resources list +For information that can help with troubleshooting App-V for Windows 10, see: +- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) + +- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/) + +- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference) + +- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) + +## Have a suggestion for App-V? +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +## Related topics +- [What's new in App-V for Windows 10](appv-about-appv.md) + +- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md) diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/manage/appv-release-notes-for-appv-for-windows.md index 0982031249..290e4b19b9 100644 --- a/windows/manage/appv-release-notes-for-appv-for-windows.md +++ b/windows/manage/appv-release-notes-for-appv-for-windows.md @@ -1,23 +1,21 @@ --- -title: Release Notes for App-V (Windows 10) -description: Release Notes for App-V -author: MaggiePucciEvans +title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) +description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - # Release Notes for App-V for Windows 10, version 1607 **Applies to** - Windows 10, version 1607 -The following are known issues in Application Virtualization (App-V) for Windows 10, version 1607. +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607. ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client - MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. **Workaround**: @@ -45,13 +43,11 @@ MSI packages that were generated using an App-V sequencer from previous versions where the path is to the new directory (**C:\MyMsiTools\ for this example**). ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10 - An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier. **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients. ## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server - If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration. **Workaround**: Do one of the following: @@ -95,7 +91,6 @@ On the Packages page of the Management Console, if you click **Add or Upgrade** 3. Paste the path into the **Add Package** dialog box input field ## Upgrading App-V Management Server to 5.1 sometimes fails with the message “A database error occurred” - If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to App-V Server when multiple connection groups are configured and enabled, the following error is displayed: “A database error occurred. Reason: 'Invalid column name 'PackageOptional'. Invalid column name 'VersionOptional'.” **Workaround**: Run this command on your SQL database: @@ -105,14 +100,11 @@ If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to A where “AppVManagement” is the name of the database. ## Users cannot open a package in a user-published connection group if you add or remove an optional package - In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group. **Workaround**: Have users log out and then log back in. ## Error message is erroneously displayed when the connection group is published only to the user - - When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.” **Workaround**: Do one of the following: @@ -132,40 +124,37 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, 3. If the package is currently published, run **Repair-AppvClientPackage** on that package. ## Icons not displayed properly in Sequencer - Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32. **Workaround**: Only use icons that are 16x16 or 32x32. ## InsertVersionInfo.sql script no longer required for the Management Database - - The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). -**Important**   -**Step 1** is not required for versions of App-V later than App-V 5.0 SP3. - +>[!IMPORTANT]  +>**Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3. ## Microsoft Visual Studio 2012 not supported +App-V doesn't support Visual Studio 2012. - -App-V does not support Visual Studio 2012. - -**Workaround**: None +**Workaround**: Use a newer version of Microsoft Visual Studio. ## Application filename restrictions for App-V Sequencer - - The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. **Workaround**: Use a different filename -## Have a suggestion for App-V? +## Related resources list +For information that can help with troubleshooting App-V for Windows 10, see: +- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) +- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/) +- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference) +- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) +## Have a suggestion for App-V? Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). -## Related topics +Help us to improve -[What's new in App-V for Windows 10](appv-about-appv.md) diff --git a/windows/manage/appv-sequence-a-new-application.md b/windows/manage/appv-sequence-a-new-application.md index 24b1fb9ba1..7479636bf9 100644 --- a/windows/manage/appv-sequence-a-new-application.md +++ b/windows/manage/appv-sequence-a-new-application.md @@ -1,7 +1,7 @@ --- -title: How to Sequence a New Application with App-V (Windows 10) -description: How to Sequence a New Application with App-V -author: MaggiePucciEvans +title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to manually sequence a new app using the App-V Sequencer +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,10 +9,10 @@ ms.prod: w10 --- -# How to Sequence a New Application with App-V +# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) **Applies to** -- Windows 10, version 1607 +- Windows 10, version 1607 and later In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). @@ -36,8 +36,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD - If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume. -> [!NOTE] -> The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated. +>[!NOTE] +>The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated. **To sequence a new standard application** @@ -47,15 +47,15 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. 4. On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**. 5. On the **Select Installer** page, click **Browse** and specify the installation file for the application. - > [!NOTE] - > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. + >[!NOTE] + >If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then click **Next**. @@ -65,8 +65,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. - > [!IMPORTANT] - > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring. + >[!IMPORTANT] + >You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**. @@ -74,8 +74,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run. - > [!NOTE] - > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step. + >[!NOTE] + >To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step. Click **Next**. @@ -91,23 +91,21 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. - > [!NOTE] - > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application. - -   + >[!NOTE] + >If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application. 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**. - > [!IMPORTANT] - > Make sure that the operating systems you specify here are supported by the application you are sequencing. + >[!IMPORTANT] + >Make sure that the operating systems you specify here are supported by the application you are sequencing. 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package. - > [!IMPORTANT] - > The system does not support non-printable characters in **Comments** and **Descriptions**. + >[!IMPORTANT] + >The system does not support non-printable characters in **Comments** and **Descriptions**. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. @@ -115,14 +113,13 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD The package is now available in the sequencer. - > [!IMPORTANT] - > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. - + >[!IMPORTANT] + >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.   **To sequence an add-on or plug-in application** -> [!NOTE] +>[!NOTE] >Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer. >For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package. @@ -133,9 +130,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. - + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. 4. On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**. @@ -143,17 +139,17 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 6. On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**. - Click **Next**. +7. Click **Next**. -7. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console. +8. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console. - Click **Next**. +9. Click **Next**. -8. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**. +10. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**. -9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**. +11. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**. -10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. +12. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. - Optimize how the package will run across a slow or unreliable network. @@ -161,12 +157,10 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD Click **Next**. -11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. +13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. - > [!NOTE]    - > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. - -   + >[!NOTE]    + >If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. 12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**. @@ -174,8 +168,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package. - > [!IMPORTANT]    - > The system does not support non-printable characters in Comments and Descriptions. + >[!IMPORTANT]    + >The system does not support non-printable characters in Comments and Descriptions. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. @@ -187,9 +181,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package. - + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package. 4. On the **Type of Application** page, select **Middleware**, and then click **Next**. @@ -197,37 +190,35 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console. - Click **Next**. +7. Click **Next**. -7. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**. +8. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**. -8. On the **Installation** page, wait while the sequencer configures the virtual application package. +9. On the **Installation** page, wait while the sequencer configures the virtual application package. -9. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**. +10. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**. -10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**. +11. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**. -11. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. +12. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package. - > [!IMPORTANT]    - > The system does not support non-printable characters in Comments and Descriptions. + >[!IMPORTANT]    + >The system does not support non-printable characters in Comments and Descriptions. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. -12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure. +13. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure. The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**. - > [!IMPORTANT]    - > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. + >[!IMPORTANT]    + >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. ## Have a suggestion for App-V? - Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics - - [Install the App-V Sequencer](appv-install-the-sequencer.md) - [Operations for App-V](appv-operations.md) diff --git a/windows/manage/appv-sequence-a-package-with-powershell.md b/windows/manage/appv-sequence-a-package-with-powershell.md index e1920755b9..1d3143b133 100644 --- a/windows/manage/appv-sequence-a-package-with-powershell.md +++ b/windows/manage/appv-sequence-a-package-with-powershell.md @@ -59,10 +59,15 @@ The following list displays additional optional parameters that can be used with - FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. -## Have a suggestion for App-V? +In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. -Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +>[!IMPORTANT] +>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. ## Related topics - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) + +## Have a suggestion for App-V? + +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 168d27d267..d6a3868254 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -14,23 +14,31 @@ This topic lists new and updated topics in the [Manage Windows 10](index.md) doc >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - ## RELEASE: Windows 10, version 1703 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md). - +## March 2017 +| New or changed topic | Description | +| --- | --- | +|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New | +|[What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)|Updated to include new features in App-V for Windows 10, version 1703. | +|[Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)|New | +|[Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) |New | +|[Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) |New | +|[Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) |New | +|[Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) |New | +|[Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) |New | ## February 2017 - | New or changed topic | Description | | --- | --- | | [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | -| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | -| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. | +|[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | +|[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |Added Express updates. | | [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. | @@ -97,7 +105,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +- [Set up a shared or guest PC with Windows 10](../configure/set-up-shared-or-guest-pc.md) - [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) - [Application Virtualization (App-V) for Windows 10](appv-for-windows.md) - [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md) diff --git a/windows/manage/images/button.png b/windows/manage/images/button.png new file mode 100644 index 0000000000..1ba7590f76 Binary files /dev/null and b/windows/manage/images/button.png differ diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md index f149335e36..ed2c748110 100644 --- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -44,11 +44,10 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: - - Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). -- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx). +- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction). diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md deleted file mode 100644 index f641f80569..0000000000 --- a/windows/manage/set-up-shared-or-guest-pc.md +++ /dev/null @@ -1,302 +0,0 @@ ---- -title: Set up a shared or guest PC with Windows 10 (Windows 10) -description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios. -keywords: ["shared pc mode"] -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Set up a shared or guest PC with Windows 10 - - -**Applies to** - -- Windows 10 - -Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. - -> [!NOTE] -> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. - -##Shared PC mode concepts -A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users. - -###Account models -It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account. - -###Account management -When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. - -###Maintenance and sleep -Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. - -While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update: - -- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**. -- MDM: Set **Update/AllowAutoUpdate** to `4`. -- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. - -[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_AllowAutoUpdate) - -###App behavior - -Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx). - -###Customization -Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. - -| Setting | Value | -|:---|:---| -| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | -| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC.
      - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
      - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
      - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
      - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

      Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. | -| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | -| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | -| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. | -| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | -| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
      - Local storage locations are restricted. Users can only save files to the cloud.
      - Custom Start and taskbar layouts are set.\*
      - A custom sign-in screen background image is set.\*
      - Additional educational policies are applied (see full list below).

      \*Only applies to Windows 10 Pro Education, Enterprise, and Education | -| Customization: SetPowerPolicies | When set as **True**:
      - Prevents users from changing power settings
      - Turns off hibernate
      - Overrides all power state transitions to sleep (e.g. lid close) | -| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | -| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | - - -##Configuring shared PC mode on Windows -You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) - -![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) - -- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. - -![Shared PC settings in ICD](images/icd-adv-shared-pc.png) - - -### Create a provisioning package for shared use - -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. On the **Start page**, select **Advanced provisioning**. - -3. Enter a name and (optionally) a description for the project, and click **Next**. - -4. Select **All Windows desktop editions**, and click **Next**. - -5. Click **Finish**. Your project opens in Windows ICD. - -6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) - -7. On the **File** menu, select **Save.** -8. On the **Export** menu, select **Provisioning package**. -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. - > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. -   -11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - > [!IMPORTANT]   - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -   -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) (select this option to apply to a PC during initial setup) - - -### Apply the provisioning package - -You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up. - -**During initial setup** -1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - - ![The first screen to set up a new PC](images/oobe.jpg) - -2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**. - - ![Set up device?](images/setupmsg.jpg) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/prov.jpg) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - - ![Choose a package](images/choose-package.png) - -5. Select **Yes, add it**. - - ![Do you trust this package?](images/trust-package.png) - -6. Read and accept the Microsoft Software License Terms. - - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) - - -**After setup** - -On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. - -![add a package option](images/package.png) - -> [!NOTE] -> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out when turning shared pc mode on. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell:
      - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - - - - -## Policies set by shared PC mode -Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. - -> [!IMPORTANT] -> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Policy name

      Value

      When set?

      Admin Templates > Control Panel > Personalization

      Prevent enabling lock screen slide show

      Enabled

      Always

      Prevent changing lock screen and logon image

      Enabled

      Always

      Admin Templates > System > Power Management > Button Settings

      Select the Power button action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the Power button action (on battery)

      Sleep

      SetPowerPolicies=True

      Select the Sleep button action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the lid switch action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the lid switch action (on battery)

      Sleep

      SetPowerPolicies=True

      Admin Templates > System > Power Management > Sleep Settings

      Require a password when a computer wakes (plugged in)

      Enabled

      SignInOnResume=True

      Require a password when a computer wakes (on battery)

      Enabled

      SignInOnResume=True

      Specify the system sleep timeout (plugged in)

      *SleepTimeout*

      SetPowerPolicies=True

      Specify the system sleep timeout (on battery)

      *SleepTimeout*

      SetPowerPolicies=True

      Turn off hybrid sleep (plugged in)

      Enabled

      SetPowerPolicies=True

      Turn off hybrid sleep (on battery)

      Enabled

      SetPowerPolicies=True

      Specify the unattended sleep timeout (plugged in)

      *SleepTimeout*

      SetPowerPolicies=True

      Specify the unattended sleep timeout (on battery)

      *SleepTimeout*

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      SetPowerPolicies=True

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      SetPowerPolicies=True

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      SetPowerPolicies=True

      Admin Templates>System>Power Management>Video and Display Settings

      Turn off the display (plugged in)

      *SleepTimeout*

      SetPowerPolicies=True

      Turn off the display (on battery

      *SleepTimeout*

      SetPowerPolicies=True

      Admin Templates>System>Logon

      Show first sign-in animation

      Disabled

      Always

      Hide entry points for Fast User Switching

      Enabled

      Always

      Turn on convenience PIN sign-in

      Disabled

      Always

      Turn off picture password sign-in

      Enabled

      Always

      Turn off app notification on the lock screen

      Enabled

      Always

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      SignInOnResume=True

      Block user from showing account details on sign-in

      Enabled

      Always

      Admin Templates>System>User Profiles

      Turn off the advertising ID

      Enabled

      SetEduPolicies=True

      Admin Templates>Windows Components

      Do not show Windows Tips

      *Only on Pro, Enterprise, Pro Education, and Education*

      Enabled

      SetEduPolicies=True

      Turn off Microsoft consumer experiences

      *Only on Pro, Enterprise, Pro Education, and Education*

      Enabled

      SetEduPolicies=True

      Microsoft Passport for Work

      Disabled

      Always

      Prevent the usage of OneDrive for file storage

      Enabled

      Always

      Admin Templates>Windows Components>Biometrics

      Allow the use of biometrics

      Disabled

      Always

      Allow users to log on using biometrics

      Disabled

      Always

      Allow domain users to log on using biometrics

      Disabled

      Always

      Admin Templates>Windows Components>Data Collection and Preview Builds

      Toggle user control over Insider builds

      Disabled

      Always

      Disable pre-release features or settings

      Disabled

      Always

      Do not show feedback notifications

      Enabled

      Always

      Admin Templates>Windows Components>File Explorer

      Show lock in the user tile menu

      Disabled

      Always

      Admin Templates>Windows Components>Maintenance Scheduler

      Automatic Maintenance Activation Boundary

      *MaintenanceStartTime*

      Always

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Always

      Automatic Maintenance WakeUp Policy

      Enabled

      Always

      Admin Templates>Windows Components>Microsoft Edge

      Open a new tab with an empty tab

      Disabled

      SetEduPolicies=True

      Configure corporate home pages

      Enabled, about:blank

      SetEduPolicies=True

      Admin Templates>Windows Components>Search

      Allow Cortana

      Disabled

      SetEduPolicies=True

      Windows Settings>Security Settings>Local Policies>Security Options

      Interactive logon: Do not display last user name

      Enabled, Disabled when account model is only guest

      Always

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Always

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      Always

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny

      Always



      - - - -## Related topics - -[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md) - - -  - -  - - - - - diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG new file mode 100644 index 0000000000..b0d2221824 Binary files /dev/null and b/windows/whats-new/images/bulk-token.PNG differ diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png index e7a89454b8..b3d998ba1b 100644 Binary files a/windows/whats-new/images/wcd-options.png and b/windows/whats-new/images/wcd-options.png differ diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 1c6c94f739..265b3b3910 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -130,7 +130,7 @@ Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilit ### Shared PC mode -Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md) +Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../configure/set-up-shared-or-guest-pc.md) ### Application Virtualization (App-V) for Windows 10 diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 740feb0527..f92b7cc421 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -29,6 +29,14 @@ Windows Configuration Designer in Windows 10, version 1703, includes several new [Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md) + +### Bulk enrollment in Azure Active Directory + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](images/bulk-token.png) + + ### Windows Spotlight The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: @@ -48,7 +56,7 @@ Additional MDM policy settings are available for Start and taskbar layout. For d Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). -### Lockdown Designer app for Windows 10 Mobile lockdown files +### Lockdown Designer for Windows 10 Mobile lockdown files The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). @@ -58,11 +66,6 @@ The Lockdown Designer app helps you configure and create a lockdown XML file to -### Kiosk mode for Windows 10 Mobile - -In Windows 10 Mobile, version 1703, [Apps Corner](https://support.microsoft.com/instantanswers/7959c547-aa80-5ff1-9097-1784b6894845/set-up-apps-corner) is removed. Enterprises can use [Enterprise Assigned Access to configure kiosk experiences](../configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) on devices running Windows 10 Mobile. - - ## Deployment @@ -70,7 +73,9 @@ In Windows 10 Mobile, version 1703, [Apps Corner](https://support.microsoft.com/ MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability and supports additional partition types. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md). @@ -82,7 +87,9 @@ Using Azure AD also means that you can remove an employee’s profile (for examp ## Security -### Windows Defender Advanced Threat Protection (Windows Defender ATP) +### Windows Defender Advanced Threat Protection + +New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include: - **Detection**
      Enhancements to the detection capabilities include: - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. @@ -109,8 +116,8 @@ Using Azure AD also means that you can remove an employee’s profile (for examp -### Windows Defender Antivirus (Windows Defender AV) -New features for Windows Defender AV in Windows 10, version 1703 include: +### Windows Defender Antivirus +New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include: - [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md) - [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md) @@ -162,7 +169,16 @@ Added policies include: To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md) -## Learn more +## Manage +### Application Virtualization for Windows (App-V) +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +To see info about these updates, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md), [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md), and [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md) + +## Related topics + +- [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update) - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) - [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) +- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md)