deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdprov

Browse Source
This commit is contained in:
jdeckerMS
2016-06-20 09:52:17 -07:00
parent 5cc943e30d e6da613d1f
commit ecad9cff18
16 changed files with 242 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/manage/TOC.md
View File

@ -21,6 +21,7 @@
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)

6
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## June 2016
| New or changed topic | Description |
| ---|---|
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the sample script for Shell Launcher. |
## May 2016
| New or changed topic | Description |

6
windows/manage/device-guard-signing-portal.md
View File

@ -54,9 +54,8 @@ Device Guard is a feature set that consists of both hardware and software system
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
| | |
|-------------------------------------------------------|----------|
| Description | Limit |
|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
@ -68,9 +67,8 @@ When you're uploading files for Device Guard signing, there are a few limits for
Catalog and policy files have required files types.
| | |
|---------------|--------------------|
| File | Required file type |
|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |

4
windows/manage/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Stor
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Store for Business services provide:
@ -62,7 +62,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
[Manage apps you purchased from the Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
 

17
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -13,11 +13,18 @@ author: brianlic-msft
- Windows 10
In Windows 10, version 1511, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
In Windows 10, version 1607, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| - | - | - |
| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps (assigned access) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. |
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |

103
windows/manage/guidelines-for-assigned-access-app.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Guidelines for choosing an app for assigned access (kiosk mode)
**Applies to**
- Windows 10
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/en-us/library/windows/hardware/mt228170(v=vs.85).aspx#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
If you use a web browser as your assigned access app, consider the following tips:
- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorers web address bar.
- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
**To block access to the file system from Internet Explorer's web address bar**
1. On the Start screen, type the following:
`gpedit.msc`
2. Press **Enter** or click the gpedit icon to launch the group policy editor.
3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
- A UNC path (\\<server>\<share>)
- A local drive (C:\)
- A local folder (\temp)
## Secure your information
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and do the setup accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/en-us/library/windows/hardware/mt633799%28v=vs.85%29.aspx).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 
 

86
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -101,7 +101,7 @@ Assigned access does not work on a device that is connected to more than one mon
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
@ -293,76 +293,84 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
$COMPUTER = localhost
$NAMESPACE = root\standardcimv2\embedded
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]\\$COMPUTER\${NAMESPACE}:WESL_UserSetting
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = S-1-5-32-544
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
return $NTUserSID.Value
}
}
# Get the SID for a user account named Cashier. Rename Cashier to an existing account on your system to test this script.
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID(Cashier)
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell(cmd.exe, $restart_device)
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
`nDefault Shell is set to + $DefaultShellObject.Shell + and the default action is set to + $DefaultShellObject.defaultaction
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for Cashier, and restart the machine if Internet Explorer is closed.
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, c:\program files\internet explorer\iexplore.exe www.microsoft.com, ($null), ($null), $restart_shell)
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, explorer.exe)
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
# View all the custom shells defined.
`nCurrent settings for custom shells:
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
`nEnabled is set to + $IsShellLauncherEnabled.Enabled
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics

36
windows/manage/settings-that-can-be-locked-down.md
View File

@ -445,24 +445,24 @@ Dependent settings group/pages will be automatically enabled when a quick action
The following table lists the dependencies between quick actions and Settings groups/pages.
| Quick action | Settings group | Settings page |
|------------------------------------------------------------|--------------------------------------------------|------------------------------------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_QuickAction\_Bluetooth | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
| Quick action | Settings group | Settings page |
|-----|-------|-------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_QuickAction\_Bluetooth | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |