deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into delop

Browse Source
This commit is contained in:
jaimeo 2017-11-13 13:24:13 -08:00
commit f2589e35f1
178 changed files with 3367 additions and 2067 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.openpublishing.publish.config.json
View File

@ -466,8 +466,7 @@
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "master",
"git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"resolve_user_profile_using_github": true,

5
bcs/TOC.md
View File

@ -1 +1,4 @@
# [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md)
# [Microsoft 365 Business documentation and resources](index.md)
# [Support]()
## [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md)
## [Transition a Microsoft 365 Business CSP subscription](support/transition-csp-subscription.md)

21
bcs/index.md
View File

@ -680,7 +680,26 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
</a>
</li>
</li>
<li>
<a href="support/transition-csp-subscription.md" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management- billing-7.svg" alt="Billing" />
</div>
</div>
<div class="cardText">
<h3>Transition a Microsoft 365 Business CSP subscription</h3>
<p>Find out how you can transition a Microsoft 365 Business CSP subscription from preview to GA.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<!-- placeholder
<li>
<a href="#">

BIN
bcs/support/images/pc_customer_m365bpreview_suspend.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
bcs/support/images/pc_customer_reviewnewsubscription.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
bcs/support/images/pc_customer_subscriptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
bcs/support/images/pc_customer_subscriptions_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
bcs/support/images/pc_customer_userslicenses_m365b_validate.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

399
bcs/support/microsoft-365-business-faqs.md
View File

@ -7,329 +7,180 @@ ms.topic: article 
ms.prod: microsoft-365-business
ms.localizationpriority: high
audience: microsoft-business 
keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
ms.date: 08/04/2017
keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers, business
ms.date: 11/01/2017
---
# Microsoft 365 Business Frequently Asked Questions
## Introduction
## General
What is Microsoft 365 Business?
--------------------------------
### What is Microsoft 365 Business?
Microsoft 365 is an integrated solution that brings together best-in-class productivity tools, security and device management capabilities for small to medium-sized businesses.
Microsoft 365 Business is a new solution designed for small and midsize businesses (SMB), bringing together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data.
**A holistic set of business productivity and collaboration tools**
* Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access
* Exchange, OneDrive, Skype for Business, Microsoft Teams, SharePoint
* Business apps from Office (Bookings, Outlook Customer Manager, MileIQ<sup>[1](#footnote1)</sup>, Microsoft Listings<sup>[1](#footnote1)</sup>, Microsoft Connections<sup>[1](#footnote1)</sup>, Microsoft Invoicing<sup>[1](#footnote1)</sup>)
**Enterprise-grade device management and security capabilities**
* App protection for Office mobile apps
* Device management for Windows 10 PCs
* Consistent security configuration across devices
* Protection of company data across devices
* Windows Defender, always-on and up-to-date
**Simplified device deployment and user setup**
* Single admin console to setup and manage users and devices
* Auto-installation of Office apps on Windows 10 PCs
* Always up-to-date Office + Windows 10
* Streamlined deployment of PCs with Windows AutoPilot
Microsoft 365 Business enables you to:
### Who should consider adopting Microsoft 365 Business?
Microsoft 365 Business was built for small and medium-sized customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with device management and security solutions that safeguard business data. The Microsoft 365 Business customer is ready to move their IT operations to the cloud and is interested in maintaining a proactive stance to help protect data on both company and employee-owned devices.
- **Create your best with tools like** Word, Excel, PowerPoint, Outlook, OneNote and Access.
- **Be productive from anywhere,** with business-class email from Outlook and access to cloud files with OneDrive for Business.
- **Conduct online meetings and get instant messaging** with Skype for Business.
- **Collaborate in real time with the chat-based workspace** Microsoft Teams.
- **Safeguard your business** by enforcing malware protection for Windows devices, with Windows Defender.
- **Help protect your data and intellectual property** with App Protection for Office mobile apps on iOS and Android devices, and
Mobile Device Management (MDM) for Windows 10 PCs.
- **Save time and be protected** with consistent configuration across newly deployed PCs running Windows 10 Business and auto deployment
of Office 365 apps, provided by Windows AutoPilot.
- **Be secured and always up to date** with Office 365 updates and Windows 10.
- **Simply manage technology costs** in one subscription, with simple per user, per month pricing.
### How can I get Microsoft 365 Business for my business?
Microsoft 365 Business may be purchased through a <a href="https://www.microsoft.com/solution-providers/search" target="_blank">Microsoft Partner</a> or directly from <a href="https://www.microsoft.com//microsoft-365/business" target="_blank">Microsoft</a>. In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
Where can I find out more about Microsoft 365 Business?
--------------------------------------------------------
### How much does Microsoft 365 Business cost?
Microsoft 365 Business is offered at USD$20.00 user/month based on an _annual contract_ if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
Customers and partners can visit [https://www.microsoft.com/microsoft-365/business](https://www.microsoft.com/microsoft-365/business) where they can sign up to see a demo of Microsoft 365 Business in
action. The preview will be accessible from the web site on August 2, 2017.
### Is there a cap to how many Microsoft 365 Business seats a customer can have?
Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Customers can mix and match cloud subscriptions; as a result, depending on their organizations IT requirements, customers may add Microsoft 365 Enterprise licenses to the same account.
When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365 Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
Who should consider adopting Microsoft 365 Business?
-----------------------------------------------------
### Can I combine Microsoft 365 Business with other Microsoft subscription offerings?
Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics 365, Enterprise Mobility + Security, and Office 365.
Microsoft 365 Business was built for small and midsize customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with
device management and security solutions that safeguard business data.
### Is everyone in my business required to have a Microsoft 365 Business subscription?
No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers update their software primarily when they upgrade their hardware, over an extended period. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive business data and consistent collaboration experiences, deployment to all users is recommended.
How can I get Microsoft 365 Business for my business?
------------------------------------------------------
### How can I know if the hardware and software I run today is compatible with Microsoft 365 Business?
If the hardware you run today runs Windows 7 Pro or later, it likely meets the minimum requirements for Microsoft 365 Business. Certain Windows 10 features such as Cortana, Windows Hello and multitouch require specific hardware that is only available on newer PCs. See the <a href="https://www.microsoft.com/windows/windows-10-specifications" target="_blank">Windows 10 Pro system requirements</a> for additional details.
Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended application testing process for <a href="https://docs.microsoft.com/windows/deployment/planning/windows-10-compatibility#recommended-application-testing-process" target="_blank">Windows 10 compatibility</a> and review the <a href="https://products.office.com/office-system-requirements#subscription-plans-section" target="_blank">Office system requirements</a> to ensure a smooth transition to Microsoft 365 Business.
Microsoft 365 Business may be purchased through a [Microsoft Partner](https://partnercenter.microsoft.com/en-us/pcv/search) or directly from
[Microsoft](https://www.microsoft.com/microsoft-365/business). In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to
maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
### What is Windows 10 Business?
Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
How much will Microsoft 365 Business cost?
-------------------------------------------
### How does Microsoft 365 Business help support our Bring Your Own Device (BYOD) policy?
Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
* **App Protection for Office mobile apps** helps protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
* **Device Management for Windows 10 PCs** allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
Microsoft 365 Business will be offered at USD\$20.00/mo./user based on an annual contract if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the
partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
How are customers billed for Microsoft 365 Business subscriptions?
-------------------------------------------------------------------
When Microsoft 365 Business is purchased via a Microsoft Partner, the bill will come from that Partner and may include additional products and services outside of the subscription pricing. When purchased directly
from Microsoft, the customer is billed by Microsoft.
Is there a cap to how many Microsoft 365 Business seats a customer can have?
-----------------------------------------------------------------------------
Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Depending
on their organizations IT requirements, they may add Microsoft 365 Enterprise licenses to the same environment.
When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365
Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
Can I combine Microsoft 365 Business with other Microsoft subscription offerings?
----------------------------------------------------------------------------------
Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics and Office 365.
Does everyone in my business required to have a Microsoft 365 Business subscription?
-------------------------------------------------------------------------------------
No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers
update their software primarily when they upgrade their hardware, over an extended period of time. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive
business data and consistent collaboration experiences, deployment to all users is recommended.
How can I know if the hardware and software I run today is compatible with Microsoft 365 Business?
---------------------------------------------------------------------------------------------------
If the hardware you run today runs Windows 7 Professional or later, it likely meets the minimum requirements for Microsoft 365 Business.
Certain Windows 10 features such as Cortana, Windows Hello and multi-touch require specific hardware that is only available on newer PCs. See the [Windows 10 Pro system
requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) for additional details.
Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended
application testing process for [Windows 10 compatibility](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-compatibility#recommended-application-testing-process)
and review the [Office system requirements](https://products.office.com/en-us/office-system-requirements#subscription-plans-section) to ensure a smooth transition to Microsoft 365 Business.
What is Windows 10 Business?
-----------------------------
Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
How does Microsoft 365 Business help support my companys Bring Your Own Device (BYOD) policy?
-----------------------------------------------------------------------------------------------
Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
- **App Protection for Office mobile** helps **apps** protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
- **Mobile Device Management** (MDM) for Windows 10 devices allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
How does Microsoft 365 Business help protect PCs in my organization from malicious attacks?
--------------------------------------------------------------------------------------------
PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than
any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices.
### How does Microsoft 365 Business help protect PCs in my organization from malicious attacks?
PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices
### What's the difference between Office 365 Business Premium, Microsoft 365 Business and Microsoft 365 Enterprise?
Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
**Office 365 Business Premium** delivers best-in-class productivity with Office 365 apps and services but does not include the application protection and device management capabilities of Microsoft 365 Business.
**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to midsize businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to medium-sized businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
**Microsoft 365 Enterprise** is a set of licensing plans that offer increased levels of mobility and security management over Microsoft 365 Business and are designed for enterprise customers and those customers that are required or regulated to provide the highest level of protection for their data. In addition, Microsoft 365 Business plans provide additional functionality including business intelligence and analytics tools.
Can I switch my Office 365 plan to Microsoft 365 Business?
-----------------------------------------------------------
### Can I switch my Office 365 plan to Microsoft 365 Business?
Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business. Depending on the customers current plan there may be a decrease or increase in monthly charges.
Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business is generally available. Depending on the customers current plan there may be a decrease or increase in monthly charges.
### In what regions is Microsoft 365 Business available?
The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. See the list of <a href="https://products.office.com/business/international-availability" target="_blank">Office 365 international availability for languages, countries and regions</a>.
In what regions will Microsoft 365 Business be available?
----------------------------------------------------------
### Is there a Microsoft 365 Business trial I may use to evaluate the offer?
A Microsoft 365 Business trial will be available later this year both for direct customers and for CSPs.
### What should customers and partners know before running Microsoft 365 Business within their organization?
Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro<sup>[2](#footnote2)</sup> on their existing desktops. Customers who use on-premises Active Directory to enable login to PCs will switch devices over cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
## Deployment
## Public Preview
### What should customers consider when planning a Microsoft 365 Business deployment?
The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">Microsoft 365 Business Getting Started</a> to assist them in their Microsoft 365 Business deployment.
Who has access to the Microsoft 365 Business preview?
------------------------------------------------------
### Does Microsoft 365 Business include the full capabilities of Microsoft Intune?
Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsofts MDM solution (Microsoft Intune). These are a subset of features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a qualifying plan separately.
The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
### Does Azure Active Directory P1 come with Microsoft 365 Business?
Microsoft 365 Business is built on technology from across Microsoft and while it shares some features with Azure Active Directory, it is not a full version. The security and management policies created in Microsoft 365 Business rely on some Azure functionality but does not include all features (e.g. selfservice features, conditional access features, and reporting). Customers may choose to purchase Azure Active Directory Premium as an add-on to Microsoft 365 Business.
### Does Microsoft 365 Business allow customers to manage Macs?
The security and management capabilities of Microsoft 365 Business pertain to iOS and Android mobile and tablet devices, and Windows PCs.
### What is Windows AutoPilot?
Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time—without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update (or later) and have been factory reset. Details about Windows AutoPilot can be found in <a href="https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/" target="_blank">this June blog post</a>.
Im an existing Office 365 customer. Can I access the Microsoft 365 Business preview?
-------------------------------------------------------------------------------------
## Compatibility
Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
When will Microsoft 365 Business preview be available?
-------------------------------------------------------
The Microsoft 365 Business preview will be available starting on August 2, 2017.
In what regions is the Microsoft 365 Business preview available?
-----------------------------------------------------------------
The Microsoft 365 Business preview is available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
When will Microsoft 365 Business be generally available?
---------------------------------------------------------
Microsoft 365 Business is expected to be generally available toward the end of the calendar year.
Is there a limit to how many users can experience the preview?
---------------------------------------------------------------
Each organization can up to 300 users on Microsoft 365 Business during the preview.
What should customers and partners know before running Microsoft 365 Business within their organization?
---------------------------------------------------------------------------------------------------------
Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro\* on their existing desktops. Customers who use on-premises Active Directory must switch to cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
\*Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to
Windows 10 Pro within the Microsoft 365 Business preview.
Is there any charge for the Microsoft 365 Business preview?
------------------------------------------------------------
No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
Im an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
------------------------------------------------------------------------------------------------------------------------------------------
The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
What is the best way to deploy Microsoft 365 Business in my organization?
--------------------------------------------------------------------------
Partner-assisted deployment is the recommended way to deploy Microsoft 365 Business preview. Contact your Microsoft Partner and ask them if they are participating in the Microsoft 365 Business Preview Trial. Your Partner is well-equipped to help customers understand their options and make the best recommendations for deploying Microsoft 365 Business preview in your organization.
If you do not have a Microsoft partner, you can find one [here](https://partnercenter.microsoft.com/en-us/pcv/search).
## Deployment
What should customers consider when planning a Microsoft 365 Business deployment?
----------------------------------------------------------------------------------
The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the [Microsoft 365 Business Getting Started](https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364) to assist them in their Microsoft 365 Business deployment.
Does Microsoft 365 Business include the full capabilities of Microsoft Intune?
-------------------------------------------------------------------------------
Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft Intune. These are a subset of Intune features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a Microsoft 365 Enterprise plan.
Does Microsoft 365 Business allow customers to manage Macs?
------------------------------------------------------------
The security and management capabilities of Microsoft 365 Business pertain to iOS, Android mobile devices, and Windows PCs.
What is Windows AutoPilot?
---------------------------
Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time— without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update and have been factory reset. Details about Windows AutoPilot can be found in [this June blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-AutoPilot/).
## Compatibility
Can I add Office 365 E5 add-ons to Microsoft 365 Business?
-----------------------------------------------------------
All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Advanced Security Management, Customer Lockbox, Advanced eDiscovery, MyAnalytics, PowerBI Pro, and PSTN Conferencing.
Can I add Cloud PBX and PSTN Calling plans to Microsoft 365 Business?
----------------------------------------------------------------------
At this time, these capabilities are reserved for customers who have more advanced needs. Customers who require Cloud PBX or PSTN Calling plans should look at Microsoft 365 Enterprise offerings.
Can I use add on Archiving or additional storage to Microsoft 365 Business?
----------------------------------------------------------------------------
Yes, you can add on additional archiving or storage to Microsoft 365 Business.
Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection?
--------------------------------------------------------------------------------------
No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
Can I use Windows Information Protection with Microsoft 365 Business?
----------------------------------------------------------------------
Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
Can customers use Microsoft 365 Business with on-premises Active Directory?
----------------------------------------------------------------------------
To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices
joined to on-premises Active Directory but it is not recommended because you wont be able to enforce policies from the Microsoft 365 Business Admin console.
Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription?
---------------------------------------------------------------------------------------
### Can I add Office 365 add-ons to Microsoft 365 Business?
All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Office 365 Cloud App Security, Advanced Compliance, Threat Intelligence, MyAnalytics, PowerBI Pro, and Audio Conferencing.
### Can I add Phone System and Calling Plans to Microsoft 365 Business?
No, Phone System and Calling Plan are reserved for customers who have more advanced needs. Customers who require these capabilities should look at Microsoft 365 Enterprise offerings.
### Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection?
No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
### Can I use Windows Information Protection with Microsoft 365 Business?
Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
### Can customers use Microsoft 365 Business with on-premises Active Directory?
To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices joined to on-premises Active Directory but it is not recommended because you wont be able to enforce policies from the Microsoft 365 Business Admin console.
### Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription?
No, customers that require virtualization should purchase Windows 10 Enterprise or a Microsoft 365 Enterprise subscription.
## Partner Opportunity
Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner?
---------------------------------------------------------------------------------------------
## Partner opportunity
### Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner?
IT service providers that are not already Microsoft partners can learn more about the Microsoft Cloud Solution Provider program at
[https://partner.microsoft.com/cloud-solution-provider](https://partner.microsoft.com/cloud-solution-provider).
[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
Where can I learn how to sell Microsoft 365 Business?
------------------------------------------------------
### Where can I learn how to sell Microsoft 365 Business?
Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing more resources and training for your sales team to understand the customers existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at [http://partners.office.com/microsoft365business](http://partners.office.com/microsoft365business).
Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing resources and training for your sales team to understand the customers existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at
[http://partners.office.com](http://partners.office.com/).
### How can Microsoft 365 Business help partners increase the profitability?
Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 (https://partners.office.com/TEIBusiness), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
How can Microsoft 365 Business help partners increase the profitability?
-------------------------------------------------------------------------
In the TEI study partners reported that with Microsoft 365 Business they expect:
Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 [(available on the partner portal)](http://partners.office.com/), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
In the TEI study partners reported that with Microsoft 365 Business they
expect:
- 20%-point increase in \[one-time\] deployment and advisory services revenue
- 10%-point increase in attach rate of managed services
- 8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
What resources are available to partners to sell, deploy and support Microsoft 365 Business?
- 20%-point increase in \[one-time\] deployment and advisory services revenue
- 10%-point increase in attach rate of managed services
- 8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
### What resources are available to partners to sell, deploy and support Microsoft 365 Business?
Microsoft provides a wide selection of resources for CSP partners to market, sell, and support Microsoft 365 Business. They can be found at
[http://partners.office.com](http://partners.office.com/).
[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
What up-sell opportunities does Microsoft 365 Business give partners?
----------------------------------------------------------------------
### What up-sell opportunities does Microsoft 365 Business give partners?
Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services and to upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or peruser support fees.
With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs will find this opportunity much more attractive. Customers who are confident in the security of their on-premise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
### Should partners sell Microsoft 365 Business over other plans from Microsoft?
A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
### Some of my customers have devices that are not genuine; will Microsoft 365 Business make these devices genuine?
Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
### What support is available to CSP partners for the Microsoft 365 Business Preview?
The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365 Business and are ready to provide partners with support.
Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services, or upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or per-user
support fees.
### What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations?
The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPRs requirements for personal data processing. In March 2017, Microsoft made available contractual guarantees that provide these assurances. Customers that have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](https://www.microsoft.com/gdpr).
With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs may now find this opportunity much more attractive. Customers who are confident in the security of their onpremise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
Should partners sell Microsoft 365 Business over other plans from Microsoft?
-----------------------------------------------------------------------------
A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
I have devices that are not genuine; will Microsoft 365 Business make my devices genuine?
------------------------------------------------------------------------------------------
## Footnotes
<sup><a name="footnote1">**1**</a></sup> <small>Available in US, UK, and Canada.</small> </br>
<sup><a name="footnote2">**2**</a></sup> <small>Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to Windows 10 Pro within the Microsoft 365 Business preview.</small>
No, Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
How do partners make any money offering the Microsoft 365 Business preview to their customers?
-----------------------------------------------------------------------------------------------
Partners can realize revenue opportunities by deploying Microsoft 365 Business preview and providing other managed services that support the solution.
What is the exact name of the Microsoft 365 Business preview SKU and when will it be available?
------------------------------------------------------------------------------------------------
The Microsoft 365 Business preview is called the Microsoft 365 Business Preview Trial and will be on August 2 CSP Price List.
How can I convert a preview customer subscription to Microsoft 365 Business when it is generally available?
------------------------------------------------------------------------------------------------------------
We will provide more information on converting Microsoft 365 Business preview customers to subscribers later.
What support is available to CSP partners for the Microsoft 365 Business Preview?
----------------------------------------------------------------------------------
The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365
Business and are ready to provide partners with support.
What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations?
-------------------------------------------------------------------------------------------------------
The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPRs requirements for personal data processing. In March 2017, Microsoft made
available contractual guarantees that provide these assurances. Customers who have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](https://www.microsoft.com/gdpr).

103
bcs/support/transition-csp-subscription.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Transition a Microsoft 365 Business CSP subscription 
description: Find out how you can transition a Microsoft 365 Business CSP subscription from preview to GA. 
author: CelesteDG 
ms.author: celested 
ms.topic: article 
ms.prod: microsoft-365-business
ms.localizationpriority: high
audience: microsoft-business 
keywords: Microsoft 365 Business, Microsoft 365, SMB, transition CSP subscription
ms.date: 11/01/2017
---
# Transition a Microsoft 365 Business CSP subscription
If you have a Microsoft 365 Business Preview CSP subscription, follow this guide to find out how you can transition your existing preview subscription to Microsoft 365 Business GA (general availability).
**How to transition a preview subscription to GA**
1. Log in to <a href="https://partnercenter.microsoft.com" target="_blank">Partner Center</a>.
2. From the dashboard, select **Customers**, and then find and select the company name.
The subscriptions for the company will be listed.
![Customer's subscriptions in Partner Center](images/pc_customer_subscriptions_1.png)
3. In the company's **Subscriptions** page, select **Add subscription**.
4. In the **New subscription** page, select **Small business** and then select **Microsoft 365 Business** from the list.
5. Add the number of licenses and then select **Next: Review** to review the subscription and then select **Submit**.
![Review the new subscription to Microsoft 365 Business](images/pc_customer_reviewnewsubscription.png)
The **License-based subscriptions** will show **Microsoft 365 Business Preview** and **Microsoft 365 Business**. You'll need to suspend the Preview subscription next.
6. Select **Microsoft 365 Business Preview**.
7. In the **Microsoft 365 Business Preview** page, select **Suspended** to suspend the Preview subscription.
![Suspend the Microsoft 365 Business Preview subscription](images/pc_customer_m365bpreview_suspend.png)
8. Select **Submit** to confirm.
In the **Subscriptions** page, confirm that the **Microsoft 365 Business Preview** status shows **Suspended**.
![Confirm the Preview subscription status is suspended](images/pc_customer_m365bpreview_suspend_confirm.png)
9. Optionally, you can also validate the license agreement. To do this, follow these steps:
1. Select **Users and licenses** from the company's **Subscriptions** page.
2. From the **Users and licenses** page, select a user.
3. In the user's page, check the **Assign licenses** section and confirm that it shows **Microsoft 365 Business**.
![Confirm the Microsoft 365 Business license is assigned to the user](images/pc_customer_userslicenses_m365b_validate.png)
## Impact to customers and users during and after transition
There is no impact to customers and users during transition and post transition.
## Impact to customers who don't transition
The following table summarizes the impact to customers who don't transition from a Microsoft 365 Business Preview subscription to a Microsoft 365 Business subscription.
| | T-0 to T+30 | T+30 to T+60 | T+60 to T+120 | Beyond T+120 |
|-------|-----------------|--------------|---------------|---------------|
| **State** | In grace period | Expired | Disabled | Deprovisioned |
| **Service impacts** |
| **Microsoft 365 Business admin portal** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions.</br> Cannot assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
| **Office apps** | No end user impact | No end user impact | Office enters reduced functionality mode.</br> Users can view files only. | Office enters reduced functionality mode.</br> Users can view files only. |
| **Cloud services (SharePoint Online, Exchange Online, Skype, Teams, and more)** | No end user impact | No end user impact | End users and admins have no access to data in the cloud. | Customer's subscription and all data are deleted. |
| **EM+S components** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Capability will cease to be enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
| **Windows 10 Business** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Capability will cease to be enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
| **Azure AD login to a Windows 10 PC** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Once the tenant is deleted, a user can log in with local credentials only. Re-image the device if there are no local credentials. |
## Mobile device impacts upon subscription expiration
The followint table summarizes the impact to the app management policies on mobile devices.
| | Fully licensed experience | T+60 days post expiration |
|----------------------------|------------------------------------------------|------------------------------------|
| **Delete work files from an inactive device** | Work files are removed after selected days | Work files remain on the user's personal devices |
| **Force users to save all work files to OneDrive for Business** | Work files can only be saved to OneDrive for Business | Work files can be saved anywhere |
| **Encrypt work files** | Work files are encrypted | Work files are no longer encrypted.</br> Security policies are removed and Office data on apps is removed. |
| **Require PIN or fingerprint to access Office apps** | Restricted access to apps | No app-level access restriction |
| **Reset PIN when login fails** | Restricted access to apps | No app-level access restriction |
| **Require users to sign in again after Office apps have been idle** | Sign-in required | No sign-in required to access apps |
| **Deny access to work files on jailbroken or rooted devices** | Work files cannot be accessed on jailbroken/rooted devices | Work files can be accessed on jailbroken/rooted devices |
| **Allow users to copy content from Office apps to Personal apps** | Copy/paste restricted to apps available as part of Microsoft 365 Business subscription | Copy/paste available to all apps |
## Windows 10 PC impacts upon subscription expiration
The following table summarizes the impact to the Windows 10 device configuration policies.
| | Fully licensed experience | T+60 days post expiration |
|----------------------------|------------------------------------------------|------------------------------------|
| **Help protect PCs from threats using Windows Defender** | Turn on/off is outside of user control | User may turn on/off Windows Defender on the Windows 10 PC |
| **Help protect PCs from web-based threats in Microsoft Edge** | PC protection in Microsoft Edge | User may turn on/off PC protection in Microsoft Edge |
| **Turn off device screen when idle** | Admin defines screen timeout interval policy | Screen timeout can be configured by end user |
| **Allow users to download apps from Microsoft Store** | Admin defines if a user can download apps from Microsoft Store | User can download apps from Microsoft Store anytime |
| **Allow users to access Cortana** | Admin defines policy on user access to Cortana | User devices to turn on/off Cortana |
| **Allow users to receive tips and advertisements from Microsoft** | Admin defines policy on user receive tips and advertisements from Microsoft | User may turn on/off tips and advertisements from Microsoft |
| **Allow users to copy content from Office apps into personal apps** | Admin defines policy to keep Windows 10 devices up-to-date | Users can decide when to update Windows |

4
devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
View File

@ -32,7 +32,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
### User sign-in
Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those crednetials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS).
Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those credentials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS).
Users can sign in to a Surface Hub, but they will not be signed in to the OS. For example, when a user signs in to Apps or My Meetings and Files, the users is signed in only to the apps or services, not to the OS. As a result, the signed-in user is able to retrieve their cloud files and personal meetings stored in the cloud, and these credentials are discarded when **End session** is activated.
@ -168,4 +168,4 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource
The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.

2
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -58,7 +58,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune)
### Group Surface Hub into deployment rings

3
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -68,7 +68,7 @@ Surface Hub interacts with a few different products and services. Depending on t
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
@ -118,6 +118,7 @@ When you go through the first-run program for your Surface Hub, there's some inf
## More information
- [Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/)
- [Surface Hub in a Multi-Domain Environment](https://blogs.technet.microsoft.com/y0av/2017/11/08/11/)
 

6
devices/surface/change-history-for-surface.md
View File

@ -11,6 +11,12 @@ author: jdeckerms
This topic lists new and updated topics in the Surface documentation library.
## November 2017
|New or changed topic | Description |
| --- | --- |
|[Surface Dock Updater](surface-dock-updater.md) | Added version 2.7.136.0 information |
## October 2017
New or changed topics | Description

54
devices/surface/surface-dock-updater.md
View File

@ -8,8 +8,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: jobotto
ms.date: 06/29/2017
author: brecords
ms.date: 11/03/2017
ms.author: jdecker
---
# Microsoft Surface Dock Updater
@ -22,7 +23,10 @@ The [Microsoft Surface Dock Updater](https://www.microsoft.com/download/details.
When you run the Microsoft Surface Dock Updater installer you will be prompted to accept an End User License Agreement (EULA).
>[!NOTE]
>Updating Surface Dock firmware requires connectivity to the Surface Dock, available only on Surface Pro 3, Surface Pro 4, and Surface Book devices. A Surface Pro 3, Surface Pro 4, or Surface Book is required to successfully install Microsoft Surface Dock Updater.
>Updating Surface Dock firmware requires connectivity to the Surface Dock via the Surface Connect™ port. Installation of the Microsoft Surface Dock Updater is only supported on devices that feature the Surface Connect™ port.
>[!NOTE]
>The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment.
## Update a Surface Dock with Microsoft Surface Dock Updater
@ -112,6 +116,15 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
### Version 2.7.136.0
*Release date: November 3, 2017*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock DisplayPort Firmware
* Improved support for passive DisplayPort to DVI or HDMI adapters
* Improved support for audio over DisplayPort
### Version 2.1.15.0
*Release date: June 19, 2017*
@ -120,25 +133,6 @@ This version of Surface Dock Updater adds support for the following:
* Surface Laptop
* Surface Pro
>[!NOTE]
>The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment.
### Version 1.0.8.0
*Release date: April 26, 2016*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock Main Chipset firmware
* Update for Surface Dock DisplayPort firmware
### Version 2.0.22.0
*Release date: October 21, 2016*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock USB firmware
* Improved reliability of Ethernet, audio, and USB ports
### Version 2.1.6.0
*Release date: April 7, 2017*
@ -147,6 +141,22 @@ This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock DisplayPort firmware
* Requires Windows 10
### Version 2.0.22.0
*Release date: October 21, 2016*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock USB firmware
* Improved reliability of Ethernet, audio, and USB ports
### Version 1.0.8.0
*Release date: April 26, 2016*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock Main Chipset firmware
* Update for Surface Dock DisplayPort firmware
## Related topics

8
education/windows/change-history-edu.md
View File

@ -15,6 +15,14 @@ ms.date: 08/01/2017
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## November 2017
| New or changed topic | Description |
| --- | ---- |
| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. |
| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
## RELEASE: Windows 10, version 1709 (Fall Creators Update)
| New or changed topic | Description |

65
education/windows/education-scenarios-store-for-business.md
View File

@ -10,51 +10,53 @@ searchScope:
- Store
author: trudyha
ms.author: trudyha
ms.date: 10/27/2017
---
# Working with Microsoft Store for Education
Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
## Manage Microsoft Store for Education settings
Many of the [settings in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.
### Access to Microsoft Store for Education
## Basic Purchaser role
Applies to: IT admins
By default, when a teacher with a work or school account acquires Minecraft: Education Edition,they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
However, tenant admins can control whether or not teachers automatically sign up for Microsoft Store for Business, and get the **Basic Purchaser** role. You can configure this with **Allow educators in my organization to sign up for the Microsoft Store for Business.** You'll find this on the **Permissions** page.
**To manage educator access to Microsoft Store for Education**
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, and then click **Permissions**.
3. Select, or clear **Allow teachers in my organization to sign up for the Microsoft Store for Education**.
### Microsoft Store for Education permissions
Applies to: IT admins
**Minecraft: Education Edition** adds a new role for teachers: **Basic Purchaser**. As an Admin, you can assign this role to teachers in your organization. When a teacher has been granted this role, they can:
By default, when a teacher with a work or school account signs up for Microsoft Store for Education, the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to:
- View the Minecraft: Education Edition product description page
- Acquire and manage Minecraft: Education Edition, and other apps from Store for Business
- Use info on Support page (including links to documentation and access to support through customer service)
- Acquire and manage Minecraft: Education Edition, and other apps from Store for Education
- Use info on **Support** (including links to documentation and access to support through customer service)
![assign roles to manage Minecraft permissions](images/sfe-roles.png)
> [!NOTE]
> People with the **Basic Purchaser** role can only manage (assign and reclaim licenses) for apps that they purchased. They can't manage apps purchased by people with **Purchaser** or **Admin** roles.
Admins can control whether or not teachers are automatically assigned the **Basic Purchaser** role. You can configure this with **Make everyone a Basic Purchaser**. You'll find this on **Settings**, with **Shop** settings.
**To manage Make everyone a Basic Purchaser**
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, and then click **Settings**.
3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png)
> [!NOTE]
> **Make everyone a Basic Purchaser** is on by default.
When **Make everyone a Basic Purchaser** is turned off, admins can manually assign the role to teachers.
**To assign Basic Purchaser role**
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) </br>
> [!NOTE]
> You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
2. Click **Settings**, and then choose **Permissions**.
3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, and then choose **Permissions**.
3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
![Permission page for Microsoft Store for Business](images/sfe-roles.png)
Micrososft Store updates the list of people and permissions.
### Private store
**Blocked Basic Purchasers**
When **Make everyone a Basic Purchaser** is on, admins can still manage which users have the **Basic Purchaser** role. An admin can unassign the **Basic Purchaser** role from a user, and the user is added to a list of **Blocked Basic Purchasers**. Admins can review who are **Basic Purchasers** and **Blocked Basic Purchasers** on **Permissions**.
## Private store
Applies to: IT admins
@ -104,11 +106,10 @@ Teachers and IT administrators can now get trials or subscriptions to Minecraft:
- [For IT admins Minecraft: Education Edition](https://docs.microsoft.com/education/windows/school-get-minecraft)
- [For teachers Minecraft: Education Edition](https://docs.microsoft.com/education/windows/teacher-get-minecraft)
## Manage apps and software
Applies to: IT admins and teachers
### Manage purchases
## Manage purchases
IT admins and teachers in educational settings can purchase apps from Microsoft Store for Education. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default.
While both groups can purchase apps, they can't manage purchases made by the other group.
@ -125,7 +126,7 @@ Teachers can:
> [!NOTE]
> Teachers with the Basic purchaser role can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
### Distribute apps
## Distribute apps
Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers.

BIN
education/windows/images/sfe-allow-shop-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
education/windows/images/sfe-make-everyone-bp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
education/windows/images/sfe-roles.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 21 KiB

4
education/windows/take-a-test-multiple-pcs.md
View File

@ -233,9 +233,9 @@ One of the ways you can present content in a locked down manner is by embedding
2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
- `&enableTextSuggestions` - Enables text suggestions
- `&enablePrint` - Enables printing
- `&requirePrinting` - Enables printing
- `&enableScreenCapture` - Enables screen capture
- `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
If you exclude these parameters, the default behavior is disabled.

4
education/windows/take-a-test-single-pc.md
View File

@ -97,9 +97,9 @@ One of the ways you can present content in a locked down manner is by embedding
2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
- `&enableTextSuggestions` - Enables text suggestions
- `&enablePrint` - Enables printing
- `&requirePrinting` - Enables printing
- `&enableScreenCapture` - Enables screen capture
- `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
If you exclude these parameters, the default behavior is disabled.

20
education/windows/test-windows10s-for-edu.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 10/17/2017
ms.date: 11/03/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@ -85,15 +85,15 @@ Check with your device manufacturer before trying Windows 10 S on your device to
| <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="http://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> |
| <a href="http://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="http://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="http://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
| <a href="http://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="http://www.onda.cn/SearchDetails.aspx?id=1654" target="_blank">Guangzhou</a> |
| <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="http://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="http://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> |
| <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> |
| <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> |
| <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> |
| <a href="http://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> |
| <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> | <a href="http://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> |
| <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> |
| <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
| <a href="http://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> | | |
| <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="http://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="https://www.i-life.us/not-available/" target="_blank">I Life</a> |
| <a href="http://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
| <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> |
| <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> |
| <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> |
| <a href="http://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> |
| <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> |
| <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> | <a href="http://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> | |
> [!NOTE]

17
store-for-business/acquire-apps-microsoft-store-for-business.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: high
---
# Acquire apps in Microsoft Store for Business and Education
As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md).
As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping.
## App licensing model
The Microsoft Store supports two options to license apps: online and offline. **Online** licensing is the default licensing model. Online licensed apps require users and devices to connect to the Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#offline-licensing).
@ -31,6 +31,21 @@ There are a couple of things we need to know when you pay for apps. You can add
- Legal business address
- Payment option (credit card)
## Allow users to shop
**Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off:
- The shopping experience is not availalbe
- **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education
- Admins can't assign shopping roles to users
- Products and services previously purchased by **Basic Purchasers** can be managed by admins.
**To manage Allow users to shop setting**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, and then click **Settings**.
3. On **Shop**, turn on or turn off **Allow users to shop**.
![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png)
## Acquire apps
**To acquire an app**
1. Sign in to http://businessstore.microsoft.com

BIN
store-for-business/images/sfb-allow-shop-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

16
store-for-business/settings-reference-microsoft-store-for-business.md
View File

@ -26,22 +26,10 @@ The Microsoft Store for Business and Education has a group of settings that admi
| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
| Allow users to shop | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/en-us/education/windows/education-scenarios-store-for-business#basic-purchaser-role). </br> **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education. | **Settings - Shop** |
| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
 
 
 

2
windows/access-protection/hello-for-business/hello-deployment-guide.md
View File

@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine
This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
* A well-connected, working network
* Internet access
* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
* Proper name resolution, both internal and external names
* Active Directory and an adequate number of domain controllers per site to support authentication
* Active Directory Certificate Services 2012 or later

2
windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
* [Public Key Infrastucture](#public-key-infastructure)
* [Public Key Infrastucture](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation)
* [MultiFactor Authetication](#multifactor-authentication)

2
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
10. On the **Request Handling** tab, select the **Renew with same key** check box.
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
14. Click on the **Apply** to save changes and close the console.

2
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
View File

@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
4. In the navigation pane, expand **Policies** under **User Configuration**.
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client <EFBFBD> Auto-Enrollment** and select **Properties**.
6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
9. Select the **Update certificates that use certificate templates** check box.

32
windows/application-management/manage-windows-mixed-reality.md
View File

@ -65,22 +65,22 @@ In the following example, the **Id** can be any generated GUID and the **Name**
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;&gt;
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;&gt;
</Data>
</Item>
</Add>

2
windows/client-management/mdm/TOC.md
View File

@ -142,6 +142,8 @@
### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
### [eUICCs CSP](euiccs-csp.md)
#### [eUICCs DDF file](euiccs-ddf-file.md)
### [FileSystem CSP](filesystem-csp.md)
### [Firewall CSP](firewall-csp.md)
#### [Firewall DDF file](firewall-ddf-file.md)

33
windows/client-management/mdm/applocker-csp.md
View File

@ -876,29 +876,28 @@ The following example disables the Mixed Reality Portal. In the example, the **I
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;&gt;
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example for Windows 10 Mobile denies all apps and allows the following apps:

447
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,17 +7,17 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/03/2017
ms.date: 11/01/2017
---
# AssignedAccess CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
@ -32,6 +32,9 @@ Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
> [!Note]
> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:
@ -40,10 +43,15 @@ Here's an example:
{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
> [!Tip]
> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\.
>
> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string. 
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note**  The domain name can be optional if the user name is unique across the system.
> [!Note]
> The domain name can be optional if the user name is unique across the system.
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
@ -51,7 +59,10 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
> [!Note]
> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@ -59,7 +70,7 @@ Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
## Examples
## KioskModeApp examples
KioskModeApp Add
@ -242,170 +253,7 @@ KioskModeApp Replace
</xs:schema>
```
## Overview of the AssignedAccessConfiguration XML
Let's start by looking at the basic structure of the XML file. 
- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run. 
- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id.
- A profile has no effect if its not associated to a user account. 
 
A profile node has below information: 
- Id: a GUID attribute to uniquely identify the Profile.
- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps. 
- StartLayout: a node for startlayout policy xml. 
- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar. 
You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml.
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
    <Profiles>
        <Profile Id="">
            <AllAppsList>
                <AllowedApps/>
            </AllAppsList>         
            <StartLayout/>
            <Taskbar/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <Account/>
            <DefaultProfile Id=""/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>
```
 
### Allowed apps
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules. 
- For Windows apps, you need to provide the App User Model ID (AUMID). 
- [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or 
- Get the AUMID via the [Start Layout XML](#start-layout). 
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
Here are the predefined assigned access AppLocker rules: 
**For UWP apps**
   
1. Default rule is to allow all users to launch the signed package apps. 
2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list. 
 
> [!Note]
> Assigned access multi-app mode doesnt block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list. 
 
**For Win32 apps**
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs. 
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration. 
3. Enterprise defined allowed desktop apps are added in the AppLocker allow list. 
The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.
``` syntax
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
        </AllowedApps>
      </AllAppsList>
```
### Start layout
Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start. 
 
The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. 
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration. 
- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout. 
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.
The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.
```syntax
      <StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout>
```
For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you dont attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. 
The following example exposes the taskbar to the end user:
``` syntax
      <Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
``` syntax
      <Taskbar ShowTaskbar="false"/>
```
> [!Note]
> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar. 
### Profiles and configs
In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. 
``` syntax
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
  </Profiles>
```
Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience. 
``` syntax
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs> 
```
> [!Note]
> - The full multi-app assigned access experience can only work for non-admin users. Its not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.  
> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
### Example AssignedAccessConfiguration XML
## Example AssignedAccessConfiguration XML
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
@ -457,3 +305,258 @@ Under Configs, define which user account will be associated with the profile. Wh
  </Configs>
</AssignedAccessConfiguration>
```
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms when handling xml in xml. Consider its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
&lt;AllowedApps&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
&lt;/Profile&gt;
&lt;/Profiles&gt;
&lt;Configs&gt;
&lt;Config&gt;
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
This example shows escaped XML of the Data node.
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
&lt;AllowedApps&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
&lt;/Profile&gt;
&lt;/Profiles&gt;
&lt;Configs&gt;
&lt;Config&gt;
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
This example uses CData for the XML.
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]]]><![CDATA[>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
Example of Get command that returns the configuration in the device.
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
Example of the Delete command.
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Configuration</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```

4
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 11/01/2017
---
# AssignedAccess DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.

40
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -43,7 +43,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">The data type format is node.
<p style="margin-left: 20px">Supported operations are Get, Add, and Delete .
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
@ -67,7 +67,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
@ -142,7 +142,6 @@ The following image shows the ClientCertificateInstall configuration service pro
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
@ -157,14 +156,14 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
@ -174,7 +173,7 @@ Data type is string.
<p style="margin-left: 20px">Data type is int.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
@ -199,7 +198,12 @@ Data type is string.
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
<p style="margin-left: 20px">Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail.
<p style="margin-left: 20px"> Supported operations are Add, Get, Delete, and Replace. Value type is integer.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@ -210,7 +214,7 @@ Data type is string.
<p style="margin-left: 20px">The minimum value is 1.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
@ -223,7 +227,7 @@ Data type is string.
<p style="margin-left: 20px">Minimum value is 0, which indicates no retry.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
@ -233,7 +237,7 @@ Data type is string.
 
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
@ -244,7 +248,7 @@ Data type is string.
<p style="margin-left: 20px">For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
@ -253,14 +257,14 @@ Data type is string.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
@ -269,7 +273,7 @@ Data type is string.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
@ -285,7 +289,7 @@ Data type is string.
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
@ -295,21 +299,21 @@ Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.

4
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/19/2017
ms.date: 11/01/2017
---
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.

5
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -7,15 +7,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/10/2017
ms.date: 11/01/2017
---
# DeviceManageability CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.

5
windows/client-management/mdm/devicemanageability-ddf.md
View File

@ -7,15 +7,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/10/2017
ms.date: 11/01/2017
---
# DeviceManageability DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:

4
windows/client-management/mdm/devicestatus-csp.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 11/01/2017
---
# DeviceStatus CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.

4
windows/client-management/mdm/devicestatus-ddf.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/24/2017
ms.date: 11/01/2017
---
# DeviceStatus DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.

91
windows/client-management/mdm/dmclient-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 10/30/2017
---
# DMClient CSP
@ -252,6 +252,11 @@ Optional. Added in Windows 10, version 1703. Specify the Discovery server URL o
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-numberofdaysafterlostcontacttounenroll"></a>**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last sucessful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -639,6 +644,90 @@ Optional. Added in Windows 10, version 1703. Specifies the display text for the
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-"></a>**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the the management service provider expects to provision, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing 4 apps, and ProductID2 containing 2 apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
This represents App Package PackageFullName containing 4 apps, and PackageFullName2 containing 2 apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-timeoutuntilsyncfailure"></a>**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert0"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert1"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.

2441
windows/client-management/mdm/dmclient-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

5
windows/client-management/mdm/dmsessionactions-ddf.md
View File

@ -6,15 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 11/01/2017
---
# DMSessionActions DDF file
> [!WARNING]
> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider.
You can download the DDF files from the links below:

4
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -6,13 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/11/2017
ms.date: 11/01/2017
---
# Enable ADMX-backed policies in MDM
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This is a step-by-step guide to configuring ADMX-backed policies in MDM.

87
windows/client-management/mdm/euiccs-csp.md Normal file
View File

@ -0,0 +1,87 @@
---
title: eUICCs CSP
description: eUICCs CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/01/2017
---
# eUICCs CSP
The eUICCs configuration service provider... This CSP was added in windows 10, version 1709.
The following diagram shows the eUICCs configuration service provider in tree format.
![euiccs csp](images/provisioning-csp-euiccs.png)
<a href="" id="--vendor-msft-euiccs"></a>**./Vendor/MSFT/eUICCs**
Root node.
<a href="" id="euicc"></a>**_eUICC_**
Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
Supported operation is Get.
<a href="" id="euicc-identifier"></a>**_eUICC_/Identifier**
Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.
Supported operation is Get. Value type is string.
<a href="" id="euicc-isactive"></a>**_eUICC_/IsActive**
Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA.
Supported operation is Get. Value type is boolean.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
Supported operation is Get.
<a href="" id="euicc-profiles-iccid"></a>**_eUICC_/Profiles/_ICCID_**
Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
Supported operations are Add, Get, and Delete.
<a href="" id="euicc-profiles-iccid-servername"></a>**_eUICC_/Profiles/_ICCID_/ServerName**
Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
<a href="" id="euicc-profiles-iccid-matchingid"></a>**_eUICC_/Profiles/_ICCID_/MatchingID**
Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
<a href="" id="euicc-profiles-iccid-state"></a>**_eUICC_/Profiles/_ICCID_/State**
Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
<a href="" id="euicc-policies"></a>**_eUICC_/Policies**
Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
Supported operation is Get.
<a href="" id="euicc-policies-localuienabled"></a>**_eUICC_/Policies/LocalUIEnabled**
Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
Supported operations are Get and Replace. Value type is boolean. Default value is true.
<a href="" id="euicc-actions"></a>**_eUICC_/Actions**
Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active).
Supported operation is Get.
<a href="" id="euicc-actions-resettofactorystate"></a>**_eUICC_/Actions/ResetToFactoryState**
Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
Supported operation is Execute. Value type is string.
<a href="" id="euicc-actions-status"></a>**_eUICC_/Actions/Status**
Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
Supported value is Get. Value type is integer. Default is 0.

343
windows/client-management/mdm/euiccs-ddf-file.md Normal file
View File

@ -0,0 +1,343 @@
---
title: eUICCs DDF file
description: eUICCs DDF file
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
---
# eUICCs DDF file
This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>eUICCs</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Subtree for all embedded UICCs (eUICC)</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>com.microsoft/1.0/MDM/eUICCs</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>eUICC</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Identifier</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsActive</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Indicates whether this eUICC is physically present and active. Updated only by the LPA.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Profiles</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Represents all enterprise-owned profiles.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ICCID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ServerName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<Description>Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MatchingID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<Description>Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Device policies associated with the eUICC as a whole (not per-profile).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LocalUIEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Actions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Actions that can be performed on the eUICC as a whole (when it is active).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ResetToFactoryState</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

8
windows/client-management/mdm/firewall-csp.md
View File

@ -6,13 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/18/2017
ms.date: 11/01/2017
---
# Firewall CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
@ -265,7 +263,7 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
<a href="" id="profiles"></a>**FirewallRules/_FirewallRuleName_/Profiles**
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
@ -292,7 +290,7 @@ The following diagram shows the Firewall configuration service provider in tree
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
<a href="" id="interfacetypes"></a>**FirewallRules/_FirewallRuleName_/InterfaceTypes**
<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>

4
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -6,13 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/18/2017
ms.date: 11/01/2017
---
# Firewall CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML.

BIN
windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 63 KiB

After

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-euiccs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

25
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,15 +10,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/25/2017
ms.date: 11/01/2017
---
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
@ -942,6 +939,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[eUICCs CSP](euiccs-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
@ -992,6 +993,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.</p>
</td></tr>
@ -1393,6 +1398,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Defender/ControlledFolderAccessProtectedFolders - string separator is |.</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[eUICCs CSP](euiccs-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Added SyncML examples for the new Configuration node.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.</p>
</td></tr>
</tbody>
</table>

4
windows/client-management/mdm/office-csp.md
View File

@ -6,13 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/22/2017
ms.date: 11/01/2017
---
# Office CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.

4
windows/client-management/mdm/office-ddf.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/22/2017
ms.date: 11/01/2017
---
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.

4
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,13 +7,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.

5
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - AboveLock
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Accounts
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - ActiveXControls
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - ApplicationDefaults
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - ApplicationManagement
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - AppVirtualization
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - AttachmentManager
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Authentication
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-autoplay.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Autoplay
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Bitlocker
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Bluetooth
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/10/2017
ms.date: 11/01/2017
---
# Policy CSP - Browser
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-camera.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Camera
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Cellular
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Connectivity
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - CredentialProviders
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - CredentialsUI
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Cryptography
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DataProtection
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-datausage.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DataUsage
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/27/2017
ms.date: 11/01/2017
---
# Policy CSP - Defender
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DeliveryOptimization
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Desktop
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

4
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -6,13 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DeviceGuard
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DeviceInstallation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - DeviceLock
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-display.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Display
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-education.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Education
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-enterprisecloudprint.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - EnterpriseCloudPrint
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - ErrorReporting
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - EventLogService
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

13
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Experience
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -176,14 +175,6 @@ ms.date: 09/29/2017
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">Benefit to the customer:
<p style="margin-left: 20px">Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
<p style="margin-left: 20px">Sample scenario:
<p style="margin-left: 20px">An enterprise employee customer is going through OOBE and enjoys Cortanas help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>

5
windows/client-management/mdm/policy-csp-exploitguard.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - ExploitGuard
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-games.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Games
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-handwriting.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Handwriting
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - InternetExplorer
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-licensing.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Licensing
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/05/2017
ms.date: 11/01/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-location.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Location
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-lockdown.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - LockDown
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-maps.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Maps
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-messaging.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/29/2017
ms.date: 11/01/2017
---
# Policy CSP - Messaging
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>

Some files were not shown because too many files have changed in this diff Show More