deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdprov

Browse Source
This commit is contained in:
jdeckerMS 2016-06-20 09:52:17 -07:00
commit ecad9cff18
16 changed files with 242 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface-hub/TOC.md
View File

@ -27,6 +27,7 @@
#### [Monitor your Surface Hub](monitor-surface-hub.md)
#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
#### [Windows updates](manage-windows-updates-for-surface-hub.md)
#### [Wireless network management](wireless-network-management-for-surface-hub.md)

BIN
devices/surface-hub/images/system-settings-add-fqdn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

4
devices/surface-hub/online-deployment-surface-hub-device-accounts.md
View File

@ -57,7 +57,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-Mailbox $acctUpn -Type Regular
Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy
Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
Set-Mailbox $acctUpn -Type Room
Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
```
@ -66,7 +66,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Connect to Azure AD.

30
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -445,7 +445,7 @@ Possible fixes for issues with Surface Hub first-run program.
## Exchange ActiveSync errors
This section liss status codes, mapping, user messages, and actions an admin can take to solve Exchange ActiveSync errors.
This section lists status codes, mapping, user messages, and actions an admin can take to solve Exchange ActiveSync errors.
<table>
<colgroup>
@ -453,12 +453,10 @@ This section liss status codes, mapping, user messages, and actions an admin can
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Status Code</th>
<th align="left">Count of EventResult</th>
<th align="left">Mapping</th>
<th align="left">User-Friendly Message</th>
<th align="left">Action admin should take</th>
@ -467,21 +465,18 @@ This section liss status codes, mapping, user messages, and actions an admin can
<tbody>
<tr class="odd">
<td align="left"><p>-2063532030</p></td>
<td align="left"><p>3849</p></td>
<td align="left"><p>E_HTTP_DENIED</p></td>
<td align="left"><p>The password must be updated.</p></td>
<td align="left"><p>Update the password.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2147012867</p></td>
<td align="left"><p>1234</p></td>
<td align="left"><p>WININET_E_CANNOT_CONNECT</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
<td align="left"><p>Verify that the server name is correct and reachable. Verify that the device is connected to the network.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2046817239</p></td>
<td align="left"><p>316</p></td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies dont match)</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub</p>
.</td>
@ -490,105 +485,90 @@ This section liss status codes, mapping, user messages, and actions an admin can
</tr>
<tr class="even">
<td align="left"><p>-2046817204</p></td>
<td align="left"><p>145</p></td>
<td align="left"><p>E_NEXUS_STATUS_MAXIMUMDEVICESREACHED</p></td>
<td align="left"><p>The account has too many device partnerships.</p></td>
<td align="left"><p>Delete one or more partnerships on the server.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2046817270</p></td>
<td align="left"><p>93</p></td>
<td align="left"><p>E_NEXUS_STATUS_SERVERERROR_RETRYLATER</p></td>
<td align="left"><p>Cant connect to the server right now.</p></td>
<td align="left"><p>Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2063269885</p></td>
<td align="left">28</td>
<td align="left"><p>E_CREDENTIALS_EXPIRED (Credentials have expired and need to be updated)</p></td>
<td align="left"><p>The password must be updated.</p></td>
<td align="left"><p>Update the password.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2063269875</p></td>
<td align="left">14</td>
<td align="left"><p>E_AIRSYNC_RESET_RETRY</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2046817258</p></td>
<td align="left">14</td>
<td align="left"><p>E_NEXUS_STATUS_USER_HASNOMAILBOX</p></td>
<td align="left"><p>The mailbox was migrated to a different server.</p></td>
<td align="left"><p>You should never see this error. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2063532028</p></td>
<td align="left">12</td>
<td align="left"><p>E_HTTP_FORBIDDEN</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while and try again, or check the accounts settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2063400920</p></td>
<td align="left">12</td>
<td align="left"><p>E_ACTIVESYNC_PASSWORD_OR_GETCERT</p></td>
<td align="left"><p>The accounts password or client certificate are missing or invalid.</p></td>
<td align="left"><p>Update the password and/or deploy the client certificate.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2046817238</p></td>
<td align="left">12</td>
<td align="left"><p>E_NEXUS_STATUS_DEVICE_POLICYREFRESH</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the PasswordEnabled policy for this account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2063269886</p></td>
<td align="left">7</td>
<td align="left"><p>E_CREDENTIALS_UNAVAILABLE</p></td>
<td align="left"><p>The password must be updated.</p></td>
<td align="left"><p>Update the password.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2147012894</p></td>
<td align="left">6</td>
<td align="left"><p>WININET_E_TIMEOUT</p></td>
<td align="left"><p>The network doesnt support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
<td align="left"><p>Verify that the server is running. Verify the NAT settings.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2063589372</p></td>
<td align="left">6</td>
<td align="left"><p>E_FAIL_ABORT</p></td>
<td align="left"><p>This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the telemetry if you force an interactive sync, delete the account, or update its settings.</p></td>
<td align="left"><p>Nothing.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2063532009</p></td>
<td align="left">5</td>
<td align="left"><p>E_HTTP_SERVICE_UNAVAIL</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2046817267</p></td>
<td align="left">4</td>
<td align="left"><p>E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE</p></td>
<td align="left"><p>Cant connect to the server right now. Wait a while or check the accounts settings.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>-2063400921</p></td>
<td align="left">3</td>
<td align="left"><p>E_ACTIVESYNC_GETCERT</p></td>
<td align="left"><p>The Exchange server requires a certificate.</p></td>
<td align="left"><p>Import the appropriate EAS certificate on the Surface Hub.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2046817237</p></td>
<td align="left">2</td>
<td align="left"><p>E_NEXUS_STATUS_INVALID_POLICYKEY</p></td>
<td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
<td align="left"><p>Disable the PasswordEnabled policy for this account.</p>
@ -596,14 +576,12 @@ This section liss status codes, mapping, user messages, and actions an admin can
</tr>
<tr class="odd">
<td align="left"><p>-2063532027</p></td>
<td align="left">1</td>
<td align="left"><p>E_HTTP_NOT_FOUND</p></td>
<td align="left"><p>The server name is invalid.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. If the issue persists, re-provision the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>-2063532012</p></td>
<td align="left">1</td>
<td align="left"><p>E_HTTP_SERVER_ERROR</p></td>
<td align="left"><p>Cant connect to the server.</p></td>
<td align="left"><p>Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.</p></td>
@ -611,34 +589,29 @@ This section liss status codes, mapping, user messages, and actions an admin can
<tr class="odd">
<td align="left"><p>0x80072ee7</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>The server name or address could not be resolved.</p></td>
<td align="left"><p>Make sure the server name is entered correctly.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x8007052f</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>While auto-discovering the Exchange server, a policy is applied that prevents the logged-in user from logging in to the server.</p></td>
<td align="left"><p>This is a timing issue. Re-verify the account's credentials. Try to re-provision when they're correct.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x800c0019</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>Security certificate required to access this resource is invalid.</p></td>
<td align="left"><p>Install the correct ActiveSync certificate needed for the provided device account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>0x80072f0d</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>The certificate authority is invalid or is incorrect. Could not auto-discover the Exchange server because a certificate is missing.</p></td>
<td align="left"><p>Install the correct ActiveSync certificate needed for the provided device account.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>0x80004005</p></td>
<td align="left"></td>
<td align="left"><p>E_FAIL</p></td>
<td align="left"><p>The domain provided couldn't be found. The Exchange server could not be auto-discovered and was not provided in the settings.</p></td>
<td align="left"><p>Make sure that the domain entered is the FQDN, and that there is an Exchange server entered in the Exchange server text box.</p></td>
@ -646,7 +619,6 @@ This section liss status codes, mapping, user messages, and actions an admin can
<tr class="even">
<td align="left"><p>0x80072efd</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>Fail to connect to Exchange server as a result of a networking issue. It's possible the server was misspelled or it just couldn't be found.</p></td>
<td align="left"><p>Make sure that the Exchange server ID is entered correctly, and that the device is connected to the right network.</p></td>
</tr>

26
devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Use fully qualified doman name with Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
author: TrudyHa
---
# When to use a fully qualified domain name with Surface Hub
A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
- **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.
- **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
## Add FQDN to Surface Hub
You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed.
**To add Skype for Business Server FQDN**</br>
1. On Surface Hub open the **Settings** app.
2. Navigate to **System**, **Microsoft Surface Hub**.
3. Under **Skype for Business**, click **Add FQDN**.
4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com.
![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)

2
education/windows/set-up-school-pcs-technical.md
View File

@ -243,6 +243,8 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td>
</tr>
<tr><td><p>Accounts: Block Microsoft accounts</p></td><td><p>Enabled</p></td></tr>
<tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td>

22
education/windows/teacher-get-minecraft.md
View File

@ -102,11 +102,11 @@ Download for others allows teachers or IT admins to download a packages that the
- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
- Your students share Windows 10 computers, but sign in with their own Windows account.
**Requirements**
#### Requirements
- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app.
- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
**Check for updates**</br>
#### Check for updates
Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Windows Store apps.
**To check for app updates**
@ -121,7 +121,7 @@ Minecraft: Education Edition will not install if there are updates pending for o
4. Restart the computer before installing Minecraft: Education Edition.
**To download for others**</br>
#### To download for others
You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC.
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
@ -135,8 +135,20 @@ You'll download a .zip file, extract the files, and then use one of the files to
5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
**Note**:</br>
If Minecraft: Education Edition does not install, you may need to update other Windows Store apps on your computer before you can install Minecraft: Education Edition. To do this, open the Windows Store for Business and select the Account button in the top right corner of your screen (next to Search.) Select Check for updates and install all available updates. Now Minecraft should install.
#### Troubleshoot
If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened.
| Problem | Possible cause | Solution |
|---------|----------------|----------|
| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic). </br> Install updates. </br> Restart PC. </br> Run **InstallMinecraftEducationEdition.bat** again. |
| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. |
| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. |
| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. |
| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app will not be available.| Restart PC. </br> Run **InstallMinecraftEducationEdition.bat** again. </br> If a restart doesn't work, contact your IT Admin. |
If you are still having trouble installing the app, you can get more help on our [Support page](http://go.microsoft.com/fwlink/?LinkID=799757).
## Related topics

3
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -29,6 +29,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
## April 2016
@ -88,4 +89,4 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)

1
windows/manage/TOC.md
View File

@ -21,6 +21,7 @@
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)

6
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## June 2016
| New or changed topic | Description |
| ---|---|
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the sample script for Shell Launcher. |
## May 2016
| New or changed topic | Description |

6
windows/manage/device-guard-signing-portal.md
View File

@ -54,9 +54,8 @@ Device Guard is a feature set that consists of both hardware and software system
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
| | |
|-------------------------------------------------------|----------|
| Description | Limit |
|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
@ -68,9 +67,8 @@ When you're uploading files for Device Guard signing, there are a few limits for
Catalog and policy files have required files types.
| | |
|---------------|--------------------|
| File | Required file type |
|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |

4
windows/manage/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Stor
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Store for Business services provide:
@ -62,7 +62,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
[Manage apps you purchased from the Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
 

17
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -13,11 +13,18 @@ author: brianlic-msft
- Windows 10
In Windows 10, version 1511, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
In Windows 10, version 1607, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| - | - | - |
| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps (assigned access) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. |
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |

103
windows/manage/guidelines-for-assigned-access-app.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Guidelines for choosing an app for assigned access (kiosk mode)
**Applies to**
- Windows 10
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/en-us/library/windows/hardware/mt228170(v=vs.85).aspx#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
If you use a web browser as your assigned access app, consider the following tips:
- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorers web address bar.
- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
**To block access to the file system from Internet Explorer's web address bar**
1. On the Start screen, type the following:
`gpedit.msc`
2. Press **Enter** or click the gpedit icon to launch the group policy editor.
3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
- A UNC path (\\<server>\<share>)
- A local drive (C:\)
- A local folder (\temp)
## Secure your information
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and do the setup accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/en-us/library/windows/hardware/mt633799%28v=vs.85%29.aspx).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 
 

86
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -101,7 +101,7 @@ Assigned access does not work on a device that is connected to more than one mon
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
@ -293,76 +293,84 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
$COMPUTER = “localhost”
$NAMESPACE = “root\standardcimv2\embedded”
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]”\\$COMPUTER\${NAMESPACE}:WESL_UserSetting”
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = “S-1-5-32-544”
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
return $NTUserSID.Value
}
}
# Get the SID for a user account named “Cashier”. Rename “Cashier” to an existing account on your system to test this script.
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID(“Cashier”)
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell(“cmd.exe”, $restart_device)
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
“`nDefault Shell is set to “ + $DefaultShellObject.Shell + “ and the default action is set to “ + $DefaultShellObject.defaultaction
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for “Cashier”, and restart the machine if Internet Explorer is closed.
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, “c:\program files\internet explorer\iexplore.exe www.microsoft.com”, ($null), ($null), $restart_shell)
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, “explorer.exe”)
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
# View all the custom shells defined.
“`nCurrent settings for custom shells:”
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
“`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics

36
windows/manage/settings-that-can-be-locked-down.md
View File

@ -445,24 +445,24 @@ Dependent settings group/pages will be automatically enabled when a quick action
The following table lists the dependencies between quick actions and Settings groups/pages.
| Quick action | Settings group | Settings page |
|------------------------------------------------------------|--------------------------------------------------|------------------------------------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_QuickAction\_Bluetooth | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
| Quick action | Settings group | Settings page |
|-----|-------|-------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_QuickAction\_Bluetooth | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |