diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index c7880180f39..2794193b88b 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -2,40 +2,32 @@ :allowed-branchname-matches ["main" "release-.*"] :allowed-filename-matches ["windows/"] - :targets + :use-gh-statuses true + + :targets { :counts { - ;;:correctness 13 - ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues - ;;:issues 15 ;; coming from the platform, will need to be tested. + ;;:correctness 13 + ;;:total 15 ;; + ;;:issues 15 ;; + ;;:correctness 13 ;; } :scores { ;;:terminology 100 - :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place + :qualityscore 80 ;; ;;:correctness 40 } } :guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific" - :acrolinx-check-settings - { - "languageId" "en" - "ruleSetName" "Standard" - "requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE" - "TERMINOLOGY_DEPRECATED" - "TERMINOLOGY_VALID" - "VOICE_GUIDANCE" - ] - "termSetNames" ["M365" "Products" "Microsoft"] - } - :template-header " -## Acrolinx Scorecards + +## Acrolinx Scorecards -**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.** +**The minimum Acrolinx topic score of 80 is required for all Magic content merged to the default branch.** If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: @@ -43,22 +35,26 @@ If you need a scoring exception for content in this PR, add the *Sign off* and t - Escalate the exception request to the Acrolinx Review Team for review. - Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch. -For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master). +For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main). -Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: +Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality. -| Article | Score | Issues | Correctness
score | Scorecard | Processed | -| ------- | ----- | ------ | ------ | --------- | --------- | +| Article | Total score
(Required: 80) | Words + phrases
(Brand, terms) | Correctness
(Spelling, grammar) | Clarity
(Readability) | +|---------|:--------------:|:--------------------:|:------:|:---------:| " :template-change - "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} | + "| ${s/status} ${s/file} | [${acrolinx/qualityscore}](${acrolinx/scorecard}) | ${acrolinx/scores/words_and_phrases} | ${acrolinx/scores/correctness} | ${acrolinx/scores/clarity} | " :template-footer " -**More info about Acrolinx** +**More information about Acrolinx** -Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master). +- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main) +- [False positives or issues](https://aka.ms/acrolinxbug) +- [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx) +- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages) + " } diff --git a/.github/workflows/AutoLabelAssign.yml b/.github/workflows/AutoLabelAssign.yml new file mode 100644 index 00000000000..8247aa8e9cf --- /dev/null +++ b/.github/workflows/AutoLabelAssign.yml @@ -0,0 +1,41 @@ +name: Assign and label PR + +permissions: + pull-requests: write + contents: read + actions: read + +on: + workflow_run: + workflows: [Background tasks] + types: + - completed + +jobs: + download-payload: + name: Download and extract payload artifact + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod + with: + WorkflowId: ${{ github.event.workflow_run.id }} + OrgRepo: ${{ github.repository }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + label-assign: + name: Run assign and label + needs: [download-payload] + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod + with: + PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }} + AutoAssignUsers: 1 + AutoLabel: 1 + ExcludedUserList: '["user1", "user2"]' + ExcludedBranchList: '["branch1", "branch2"]' + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + + + + diff --git a/.github/workflows/AutoLabelMsftContributor.yml b/.github/workflows/AutoLabelMsftContributor.yml new file mode 100644 index 00000000000..66992cfeef6 --- /dev/null +++ b/.github/workflows/AutoLabelMsftContributor.yml @@ -0,0 +1,40 @@ +name: Auto label Microsoft contributors + +permissions: + pull-requests: write + contents: read + actions: read + +on: + workflow_run: + workflows: [Background tasks] + types: + - completed + +jobs: + download-payload: + if: github.repository_visibility == 'public' + name: Download and extract payload artifact + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod + with: + WorkflowId: ${{ github.event.workflow_run.id }} + OrgRepo: ${{ github.repository }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + label-msft: + name: Label Microsoft contributors + if: github.repository_visibility == 'public' + needs: [download-payload] + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod + with: + PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }} + + + + + + diff --git a/.github/workflows/BackgroundTasks.yml b/.github/workflows/BackgroundTasks.yml new file mode 100644 index 00000000000..c0389bb252f --- /dev/null +++ b/.github/workflows/BackgroundTasks.yml @@ -0,0 +1,26 @@ +name: Background tasks + +permissions: + pull-requests: write + contents: read + +on: + pull_request_target: + +jobs: + upload: + runs-on: ubuntu-latest + + steps: + - name: Save payload data + env: + PayloadJson: ${{ toJSON(github) }} + AccessToken: ${{ github.token }} + run: | + mkdir -p ./pr + echo $PayloadJson > ./pr/PayloadJson.json + sed -i -e "s/$AccessToken/XYZ/g" ./pr/PayloadJson.json + - uses: actions/upload-artifact@v4 + with: + name: PayloadJson + path: pr/ diff --git a/.github/workflows/LiveMergeCheck.yml b/.github/workflows/LiveMergeCheck.yml new file mode 100644 index 00000000000..faeb2a0ef40 --- /dev/null +++ b/.github/workflows/LiveMergeCheck.yml @@ -0,0 +1,22 @@ +name: PR can merge into branch + +permissions: + pull-requests: write + statuses: write + contents: read + +on: + pull_request_target: + types: [opened, reopened, synchronize, edited] + +jobs: + + live-merge: + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod + with: + PayloadJson: ${{ toJSON(github) }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + \ No newline at end of file diff --git a/.github/workflows/PrFileCount.yml b/.github/workflows/PrFileCount.yml new file mode 100644 index 00000000000..40f7d616294 --- /dev/null +++ b/.github/workflows/PrFileCount.yml @@ -0,0 +1,22 @@ +name: PR file count less than limit + +permissions: + pull-requests: write + statuses: write + contents: read + +on: + pull_request_target: + types: [opened, reopened, synchronize, labeled, unlabeled, edited] + +jobs: + + file-count: + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod + with: + PayloadJson: ${{ toJSON(github) }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + diff --git a/.github/workflows/ProtectedFiles.yml b/.github/workflows/ProtectedFiles.yml new file mode 100644 index 00000000000..007f8f04b13 --- /dev/null +++ b/.github/workflows/ProtectedFiles.yml @@ -0,0 +1,20 @@ +name: PR has no protected files + +permissions: + pull-requests: write + statuses: write + contents: read + +on: [pull_request_target] + +jobs: + + protected-files: + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod + with: + PayloadJson: ${{ toJSON(github) }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + \ No newline at end of file diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json index 7e028ba6b73..77b49e134cb 100644 --- a/.openpublishing.redirection.education.json +++ b/.openpublishing.redirection.education.json @@ -229,6 +229,83 @@ "source_path": "education/windows/windows-editions-for-education-customers.md", "redirect_url": "/education/windows", "redirect_document_id": false + }, + { + "source_path": "education/windows/configure-windows-for-education.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + + + { + "source_path": "education/windows/tutorial-school-deployment/configure-device-apps.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-apps", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/configure-device-settings.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/configure-devices-overview.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-devices-overview", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/enroll-autopilot.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-autopilot", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/enroll-entra-join.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-entra-join", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/enroll-overview.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-overview", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/enroll-package.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-package", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/index.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/introduction", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/manage-overview.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-overview", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/manage-surface-devices.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-surface-devices", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/reset-wipe.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/reset-wipe", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-intune.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune", + "redirect_document_id": false + }, + { + "source_path": "education/windows/tutorial-school-deployment/troubleshoot-overview.md", + "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/troubleshoot-overview", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d6f64463857..0cde1bb4003 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1272,7 +1272,7 @@ }, { "source_path": "windows/configure/basic-level-windows-diagnostic-events-and-fields-1703.md", - "redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", "redirect_document_id": false }, { @@ -1302,7 +1302,7 @@ }, { "source_path": "windows/configure/configure-windows-telemetry-in-your-organization.md", - "redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", + "redirect_url": "/windows/privacy/configure-windows-diagnostic-data-in-your-organization", "redirect_document_id": false }, { @@ -1527,7 +1527,7 @@ }, { "source_path": "windows/configure/windows-diagnostic-data-1703.md", - "redirect_url": "/windows/configuration/windows-diagnostic-data", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", "redirect_document_id": false }, { @@ -1582,7 +1582,7 @@ }, { "source_path": "windows/deploy/add-manage-products-vamt.md", - "redirect_url": "/windows/deployment/volume-activation/add-manage-products-vamt", + "redirect_url": "/windows/deployment/volume-activation/add-remove-computers-vamt", "redirect_document_id": false }, { @@ -1732,7 +1732,7 @@ }, { "source_path": "windows/deploy/install-configure-vamt.md", - "redirect_url": "/windows/deployment/volume-activation/install-configure-vamt", + "redirect_url": "/windows/deployment/volume-activation/vamt-requirements", "redirect_document_id": false }, { @@ -1777,17 +1777,17 @@ }, { "source_path": "windows/deploy/manage-activations-vamt.md", - "redirect_url": "/windows/deployment/volume-activation/manage-activations-vamt", + "redirect_url": "/windows/deployment/volume-activation/online-activation-vamt", "redirect_document_id": false }, { "source_path": "windows/deploy/manage-product-keys-vamt.md", - "redirect_url": "/windows/deployment/volume-activation/manage-product-keys-vamt", + "redirect_url": "/windows/deployment/volume-activation/add-remove-product-key-vamt", "redirect_document_id": false }, { "source_path": "windows/deploy/manage-vamt-data.md", - "redirect_url": "/windows/deployment/volume-activation/manage-vamt-data", + "redirect_url": "/windows/deployment/volume-activation/import-export-vamt-data", "redirect_document_id": false }, { @@ -2422,7 +2422,7 @@ }, { "source_path": "windows/deploy/vamt-step-by-step.md", - "redirect_url": "/windows/deployment/volume-activation/vamt-step-by-step", + "redirect_url": "/windows/deployment/volume-activation/scenario-online-activation-vamt", "redirect_document_id": false }, { @@ -10372,7 +10372,7 @@ }, { "source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", - "redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", + "redirect_url": "/windows/privacy/configure-windows-diagnostic-data-in-your-organization", "redirect_document_id": false }, { @@ -11487,7 +11487,7 @@ }, { "source_path": "windows/plan/windows-10-compatibility.md", - "redirect_url": "/windows/deployment/planning/windows-10-compatibility", + "redirect_url": "/windows/compatibility/", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-application-management.json b/.openpublishing.redirection.windows-application-management.json index b602d2f3f0c..1a9744551d7 100644 --- a/.openpublishing.redirection.windows-application-management.json +++ b/.openpublishing.redirection.windows-application-management.json @@ -29,6 +29,511 @@ "source_path": "windows/application-management/sideload-apps-in-windows-10.md", "redirect_url": "/windows/application-management/sideload-apps-in-windows", "redirect_document_id": false + }, + { + "source_path": "windows/application-management/add-apps-and-features.md", + "redirect_url": "/windows/client-management/client-tools/add-remove-hide-features", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-about-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-about-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-add-or-remove-an-administrator-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-add-or-upgrade-packages-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-administering-appv-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-administering-appv-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-administering-virtual-applications-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-allow-administrators-to-enable-connection-groups", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-application-publishing-and-client-interaction.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-application-publishing-and-client-interaction", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-apply-the-deployment-configuration-file-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-apply-the-user-configuration-file-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-auto-batch-sequencing.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-auto-batch-sequencing", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-auto-batch-updating.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-auto-batch-updating", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-auto-clean-unpublished-packages.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-auto-clean-unpublished-packages", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-auto-provision-a-vm.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-auto-provision-a-vm", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-available-mdm-settings.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-available-mdm-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-capacity-planning.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-capacity-planning", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-client-configuration-settings.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-client-configuration-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-configure-access-to-packages-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-configure-connection-groups-to-ignore-the-package-version", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-connection-group-file.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-connection-group-file", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-connection-group-virtual-environment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-connection-group-virtual-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-connect-to-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-connect-to-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-connection-group.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-connection-group", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-custom-configuration-file-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-and-use-a-project-template.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-and-use-a-project-template", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-package-accelerator.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-package-accelerator", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-package-accelerator-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-create-a-virtual-application-package-package-accelerator", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-creating-and-managing-virtualized-applications", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-customize-virtual-application-extensions-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-delete-a-connection-group.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-delete-a-connection-group", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-delete-a-package-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploy-appv-databases-with-sql-scripts", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2010-wth-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2013-with-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2016-with-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-sequencer-and-client", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploying-the-appv-server.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-server", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deployment-checklist.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deployment-checklist", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploy-the-appv-server.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploy-the-appv-server", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-deploy-the-appv-server-with-a-script", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-dynamic-configuration.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-dynamic-configuration", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-enable-reporting-on-the-appv-client-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-enable-the-app-v-desktop-client", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-evaluating-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-evaluating-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-for-windows.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-getting-started.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-getting-started", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-high-level-architecture.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-high-level-architecture", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-management-server-on-a-standalone-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-publishing-server-on-a-remote-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-reporting-server-on-a-standalone-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-install-the-sequencer.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-install-the-sequencer", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-maintaining-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-maintaining-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-managing-connection-groups.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-managing-connection-groups", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-migrating-to-appv-from-a-previous-version", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-modify-an-existing-virtual-application-package", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-modify-client-configuration-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-move-the-appv-server-to-another-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-operations.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-operations", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-performance-guidance.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-performance-guidance", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-checklist.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-checklist", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-folder-redirection-with-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-for-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-for-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-for-appv-server-deployment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-for-appv-server-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-for-high-availability-with-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-for-sequencer-and-client-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-for-using-appv-with-office.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-for-using-appv-with-office", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-to-deploy-appv.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-to-deploy-appv", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-preparing-your-environment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-preparing-your-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-prerequisites.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-prerequisites", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-publish-a-connection-group.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-publish-a-connection-group", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-publish-a-packages-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-release-notes-for-appv-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-release-notes-for-appv-for-windows-1703", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-reporting.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-reporting", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-security-considerations.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-security-considerations", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-sequence-a-new-application.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-sequence-a-new-application", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-sequence-a-package-with-powershell.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-sequence-a-package-with-powershell", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-supported-configurations.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-supported-configurations", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-technical-reference.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-technical-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-troubleshooting.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-troubleshooting", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-using-the-client-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-using-the-client-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console", + "redirect_document_id": false + }, + { + "source_path": "windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md", + "redirect_url": "/microsoft-desktop-optimization-pack/app-v/appv-viewing-appv-server-publishing-metadata", + "redirect_document_id": false } ] } diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json index 5de90b60ea1..e07084c0ecc 100644 --- a/.openpublishing.redirection.windows-configuration.json +++ b/.openpublishing.redirection.windows-configuration.json @@ -2,17 +2,17 @@ "redirections": [ { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", - "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", "redirect_document_id": false }, { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md", - "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1709", "redirect_document_id": false }, { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields.md", - "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { @@ -27,7 +27,7 @@ }, { "source_path": "windows/configuration/configure-windows-telemetry-in-your-organization.md", - "redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization", + "redirect_url": "/windows/privacy/configure-windows-diagnostic-data-in-your-organization", "redirect_document_id": false }, { @@ -37,7 +37,7 @@ }, { "source_path": "windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", - "redirect_url": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields", + "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136", "redirect_document_id": false }, { @@ -47,7 +47,7 @@ }, { "source_path": "windows/configuration/gdpr-win10-whitepaper.md", - "redirect_url": "/windows/privacy/gdpr-win10-whitepaper", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", "redirect_document_id": false }, { @@ -72,7 +72,7 @@ }, { "source_path": "windows/configuration/manage-windows-endpoints-version-1709.md", - "redirect_url": "/windows/privacy/manage-windows-endpoints", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { @@ -162,12 +162,12 @@ }, { "source_path": "windows/configuration/start-taskbar-lockscreen.md", - "redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies", + "redirect_url": "/windows/configuration/start/policy-settings", "redirect_document_id": false }, { "source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md", - "redirect_url": "/windows/configuration/stop-employees-from-using-microsoft-store", + "redirect_url": "/windows/configuration/store", "redirect_document_id": false }, { @@ -262,17 +262,17 @@ }, { "source_path": "windows/configuration/windows-diagnostic-data-1703.md", - "redirect_url": "/windows/privacy/windows-diagnostic-data-1703", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", "redirect_document_id": false }, { "source_path": "windows/configuration/windows-diagnostic-data-1709.md", - "redirect_url": "/windows/configuration/windows-diagnostic-data", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1709", "redirect_document_id": false }, { "source_path": "windows/configuration/windows-diagnostic-data.md", - "redirect_url": "/windows/privacy/windows-diagnostic-data", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { @@ -282,12 +282,12 @@ }, { "source_path": "windows/configuration/configure-windows-10-taskbar.md", - "redirect_url": "/windows/configuration/taskbar/configure-windows-10-taskbar", + "redirect_url": "/windows/configuration/taskbar/", "redirect_document_id": false }, { "source_path": "windows/configuration/customize-and-export-start-layout.md", - "redirect_url": "/windows/configuration/start/customize-and-export-start-layout", + "redirect_url": "/windows/configuration/start/layout", "redirect_document_id": false }, { @@ -297,7 +297,7 @@ }, { "source_path": "windows/configuration/customize-taskbar-windows-11.md", - "redirect_url": "/windows/configuration/taskbar/customize-taskbar-windows-11", + "redirect_url": "/windows/configuration/taskbar", "redirect_document_id": false }, { @@ -347,7 +347,12 @@ }, { "source_path": "windows/configuration/kiosk-prepare.md", - "redirect_url": "/windows/configuration/kiosk/kiosk-prepare", + "redirect_url": "/windows/configuration/assigned-access/recommendations", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/recommendations.md", + "redirect_url": "/windows/configuration/assigned-access/recommendations", "redirect_document_id": false }, { @@ -372,7 +377,7 @@ }, { "source_path": "windows/configuration/lockdown-features-windows-10.md", - "redirect_url": "/windows/configuration/kiosk/lockdown-features-windows-10", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10", "redirect_document_id": false }, { @@ -392,7 +397,7 @@ }, { "source_path": "windows/configuration/manage-tips-and-suggestions.md", - "redirect_url": "/windows/configuration/tips/manage-tips-and-suggestions", + "redirect_url": "/windows/configuration/", "redirect_document_id": false }, { @@ -422,32 +427,37 @@ }, { "source_path": "windows/configuration/start-layout-xml-desktop.md", - "redirect_url": "/windows/configuration/start/start-layout-xml-desktop", + "redirect_url": "/windows/configuration/start/layout", "redirect_document_id": false }, { "source_path": "windows/configuration/start-secondary-tiles.md", - "redirect_url": "/windows/configuration/start/start-secondary-tiles", + "redirect_url": "/windows/configuration/start/layout", "redirect_document_id": false }, { "source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md", - "redirect_url": "/windows/configuration/store/stop-employees-from-using-microsoft-store", + "redirect_url": "/windows/configuration/store", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/store/stop-employees-from-using-microsoft-store.md", + "redirect_url": "/windows/configuration/store", "redirect_document_id": false }, { "source_path": "windows/configuration/supported-csp-start-menu-layout-windows.md", - "redirect_url": "/windows/configuration/start/supported-csp-start-menu-layout-windows", + "redirect_url": "/windows/configuration/start/policy-settings", "redirect_document_id": false }, { "source_path": "windows/configuration/supported-csp-taskbar-windows.md", - "redirect_url": "/windows/configuration/taskbar/supported-csp-taskbar-windows", + "redirect_url": "/windows/configuration/taskbar/policy-settings", "redirect_document_id": false }, { "source_path": "windows/configuration/windows-10-start-layout-options-and-policies.md", - "redirect_url": "/windows/configuration/start/windows-10-start-layout-options-and-policies", + "redirect_url": "/windows/configuration/start/policy-settings", "redirect_document_id": false }, { @@ -457,7 +467,12 @@ }, { "source_path": "windows/configuration/windows-spotlight.md", - "redirect_url": "/windows/configuration/lock-screen/windows-spotlight", + "redirect_url": "/windows/configuration/windows-spotlight/index", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/lock-screen/windows-spotlight.md", + "redirect_url": "/windows/configuration/windows-spotlight", "redirect_document_id": false }, { @@ -729,6 +744,296 @@ "source_path": "windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md", "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org", "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/lockdown-features-windows-10.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md", + "redirect_url": "/windows/configuration/store/find-aumid", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/lock-down-windows-10-applocker.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md", + "redirect_url": "/windows/configuration/assigned-access/configuration-file", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/assigned-access/create-xml.md", + "redirect_url": "/windows/configuration/assigned-access/configuration-file", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md", + "redirect_url": "/windows/configuration/assigned-access/configuration-file", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-additional-reference.md", + "redirect_url": "/windows/configuration/assigned-access", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-mdm-bridge.md", + "redirect_url": "/windows/configuration/assigned-access/quickstart-kiosk", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-policies.md", + "redirect_url": "/windows/configuration/assigned-access/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-shelllauncher.md", + "redirect_url": "/windows/configuration/assigned-access/shell-launcher", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-validate.md", + "redirect_url": "/windows/configuration/assigned-access/overview", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-xml.md", + "redirect_url": "/windows/configuration/assigned-access/configuration-file", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/setup-digital-signage.md", + "redirect_url": "/windows/configuration/assigned-access/overview", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-single-app.md", + "redirect_url": "/windows/configuration/assigned-access/overview", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-methods.md", + "redirect_url": "/windows/configuration/assigned-access", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/guidelines-for-assigned-access-app.md", + "redirect_url": "/windows/configuration/assigned-access/overview", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-prepare.md", + "redirect_url": "/windows/configuration/assigned-access/recommendations", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/customize-start-menu-layout-windows-11.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/taskbar/configure-windows-10-taskbar.md", + "redirect_url": "/windows/configuration/taskbar/", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/taskbar/customize-taskbar-windows-11.md", + "redirect_url": "/windows/configuration/taskbar/", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/supported-csp-start-menu-layout-windows.md", + "redirect_url": "/windows/configuration/start/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/tips/manage-tips-and-suggestions.md", + "redirect_url": "/windows/configuration", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/taskbar/configure.md", + "redirect_url": "/windows/configuration/taskbar/", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/taskbar/supported-csp-taskbar-windows.md", + "redirect_url": "/windows/configuration/taskbar/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/start-layout-xml-desktop.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/customize-and-export-start-layout.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/windows-10-start-layout-options-and-policies.md", + "redirect_url": "/windows/configuration/start/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start/start-secondary-tiles.md", + "redirect_url": "/windows/configuration/start/layout", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-administering-uev-with-windows-powershell-and-wmi", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-administering-uev.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-administering-uev", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-application-template-schema-reference.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-application-template-schema-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-changing-the-frequency-of-scheduled-tasks", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-configuring-uev-with-group-policy-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-configuring-uev-with-system-center-configuration-manager", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-deploy-required-features.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-deploy-required-features", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-deploy-uev-for-custom-applications", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-for-windows.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-getting-started.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-getting-started", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-manage-administrative-backup-and-restore", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-manage-configurations.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-manage-configurations", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-migrating-settings-packages.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-migrating-settings-packages", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-prepare-for-deployment.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-prepare-for-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-release-notes-1607.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-release-notes-1607", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-security-considerations.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-security-considerations", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-sync-methods.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-sync-methods", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-sync-trigger-events.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-sync-trigger-events", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-synchronizing-microsoft-office-with-uev", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-technical-reference.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-technical-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-troubleshooting.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-troubleshooting", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-upgrade-uev-from-previous-releases", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-using-uev-with-application-virtualization-applications", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-whats-new-in-uev-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md", + "redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-working-with-custom-templates-and-the-uev-generator", + "redirect_document_id": false } ] } diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 813e7ce7fc9..8a987dc711a 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -791,8 +791,8 @@ "redirect_document_id": true }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview", "redirect_document_id": true }, { @@ -806,8 +806,8 @@ "redirect_document_id": true }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications", "redirect_document_id": true }, { @@ -816,8 +816,8 @@ "redirect_document_id": false }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp", "redirect_document_id": true }, { @@ -826,8 +826,8 @@ "redirect_document_id": false }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview", "redirect_document_id": true }, { @@ -836,13 +836,13 @@ "redirect_document_id": true }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals", "redirect_document_id": true }, { - "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md", - "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard", + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard", "redirect_document_id": true }, { @@ -1124,6 +1124,246 @@ "source_path": "windows/deployment/Windows-AutoPilot-EULA-note.md", "redirect_url": "/legal/windows/windows-autopilot-eula-note", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-10-missing-fonts.md", + "redirect_url": "/windows/deployment/windows-missing-fonts", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/volume-activation-windows-10.md", + "redirect_url": "/windows/deployment/volume-activation/volume-activation-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/activate-windows-10-clients-vamt.md", + "redirect_url": "/windows/deployment/volume-activation/activate-windows-clients-vamt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-customize-windows-update-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-summary-dashboard", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/planning/windows-10-compatibility.md", + "redirect_url": "/windows/compatibility/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/do/waas-delivery-optimization-setup.md", + "redirect_url": "/windows/deployment/do/delivery-optimization-configure", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/plan-determine-app-readiness.md", + "redirect_url": "/windows/compatibility/windows-11/testing-guidelines", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/add-manage-products-vamt.md", + "redirect_url": "/windows/deployment/volume-activation/add-remove-computers-vamt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/install-configure-vamt.md", + "redirect_url": "/windows/deployment/volume-activation/vamt-requirements", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/manage-activations-vamt.md", + "redirect_url": "/windows/deployment/volume-activation/online-activation-vamt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/manage-product-keys-vamt.md", + "redirect_url": "/windows/deployment/volume-activation/add-remove-product-key-vamt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/manage-vamt-data.md", + "redirect_url": "/windows/deployment/volume-activation/import-export-vamt-data", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/volume-activation/vamt-step-by-step.md", + "redirect_url": "/windows/deployment/volume-activation/scenario-online-activation-vamt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-summary-dashboard.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-resolve-policy-conflicts.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-customize-windows-update-settings.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-edge", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-windows-feature-update-releases", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-teams", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-unenroll-tenant", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-communications", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-update-exp", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-signals", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies", + "redirect_document_id": false } ] } diff --git a/.openpublishing.redirection.windows-privacy.json b/.openpublishing.redirection.windows-privacy.json index 3bbff994f7f..54a466f5e39 100644 --- a/.openpublishing.redirection.windows-privacy.json +++ b/.openpublishing.redirection.windows-privacy.json @@ -2,22 +2,22 @@ "redirections": [ { "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", - "redirect_url": "/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/deploy-data-processor-service-windows.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", "redirect_document_id": false }, { "source_path": "windows/privacy/gdpr-it-guidance.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", "redirect_document_id": false }, { "source_path": "windows/privacy/gdpr-win10-whitepaper.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", "redirect_document_id": false }, { @@ -27,33 +27,138 @@ }, { "source_path": "windows/privacy/manage-windows-1709-endpoints.md", - "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/manage-windows-1803-endpoints.md", - "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/manage-windows-endpoints.md", - "redirect_url": "/windows/privacy/manage-windows-2004-endpoints", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", - "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", - "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_url": "/windows/privacy/index", "redirect_document_id": false }, { "source_path": "windows/privacy/windows-personal-data-services-configuration.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", "redirect_document_id": false + }, + { + "source_path": "windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", + "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1709", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1803", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1903", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-1903-endpoints.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/manage-windows-1903-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-1909-endpoints.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/manage-windows-1909-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-2004-endpoints.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/manage-windows-2004-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-20H2-endpoints.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/manage-windows-20H2-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-21H1-endpoints.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/manage-windows-21H1-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1809-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-1809-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1903-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-1903-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1909-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-1909-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-2004-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-2004-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-20H2-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/windows-endpoints-21H1-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-diagnostic-data-1703.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/basic-level-windows-diagnostic-events-and-fields-1703", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/changes-to-windows-diagnostic-data-collection.md", + "redirect_url": "/previous-versions/windows/it-pro/privacy/changes-to-windows-diagnostic-data-collection", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-10-and-privacy-compliance.md", + "redirect_url": "/windows/privacy/windows-privacy-compliance-guide", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/windows-diagnostic-data.md", + "redirect_url": "/windows/privacy/optional-diagnostic-data", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/Microsoft-DiagnosticDataViewer.md", + "redirect_url": "/windows/privacy/diagnostic-data-viewer-powershell", + "redirect_document_id": true } ] } diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 9ddad9824fe..93967da44ea 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -52,7 +52,12 @@ }, { "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md", - "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension", + "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md", + "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview", "redirect_document_id": false }, { @@ -1452,12 +1457,12 @@ }, { "source_path": "windows/security/threat-protection/intelligence/av-tests.md", - "redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", + "redirect_url": "/microsoft-365/security/defender/top-scoring-industry-antivirus-tests.md", "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/coinminer-malware.md", - "redirect_url": "/microsoft-365/security/intelligence/coinminer-malware", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/coinminer-malware", "redirect_document_id": false }, { @@ -1467,12 +1472,12 @@ }, { "source_path": "windows/security/threat-protection/intelligence/criteria.md", - "redirect_url": "/microsoft-365/security/intelligence/criteria", + "redirect_url": "/microsoft-365/security/defender/criteria", "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md", - "redirect_url": "/microsoft-365/security/intelligence/cybersecurity-industry-partners", + "redirect_url": "/microsoft-365/security/defender/virus-initiative-criteria", "redirect_document_id": false }, { @@ -1487,17 +1492,17 @@ }, { "source_path": "windows/security/threat-protection/intelligence/exploits-malware.md", - "redirect_url": "/microsoft-365/security/intelligence/exploits-malware", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/exploits-malware", "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/fileless-threats.md", - "redirect_url": "/microsoft-365/security/intelligence/fileless-threats", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/fileless-threats", "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/macro-malware.md", - "redirect_url": "/microsoft-365/security/intelligence/macro-malware", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/macro-malware", "redirect_document_id": false }, { @@ -1507,12 +1512,12 @@ }, { "source_path": "windows/security/threat-protection/intelligence/phishing-trends.md", - "redirect_url": "/microsoft-365/security/intelligence/phishing-trends", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/phishing-trends", "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/phishing.md", - "redirect_url": "/microsoft-365/security/intelligence/phishing", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/phishing", "redirect_document_id": false }, { @@ -1522,7 +1527,7 @@ }, { "source_path": "windows/security/threat-protection/intelligence/prevent-malware-infection.md", - "redirect_url": "/microsoft-365/security/intelligence/prevent-malware-infection", + "redirect_url": "/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection", "redirect_document_id": false }, { @@ -8172,7 +8177,7 @@ }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md", - "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works#provisioning", "redirect_document_id": false }, { @@ -8334,6 +8339,851 @@ "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/access-this-computer-from-the-network", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-duration.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-duration", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-policy.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-threshold", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/account-policies.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-policies", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-administrator-account-status", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-rename-administrator-account", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-rename-guest-account", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/add-workstations-to-domain", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/administer-security-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-locally", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/audit-policy.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/back-up-files-and-directories", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/bypass-traverse-checking", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/change-the-system-time.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/change-the-system-time", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/change-the-time-zone.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/change-the-time-zone", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/create-a-pagefile.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-a-pagefile", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/create-a-token-object.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-a-token-object", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/create-global-objects.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-global-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-permanent-shared-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/create-symbolic-links.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/create-symbolic-links", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/debug-programs.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/debug-programs", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-as-a-service", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-locally", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/enforce-password-history.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-password-history", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/generate-security-audits.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/generate-security-audits", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/increase-a-process-working-set", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/increase-scheduling-priority", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/kerberos-policy.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/kerberos-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/load-and-unload-device-drivers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/lock-pages-in-memory", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/log-on-as-a-batch-job", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/log-on-as-a-service", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/manage-auditing-and-security-log", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/maximum-password-age.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-password-age", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/minimum-password-age.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-age", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/minimum-password-length.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/minimum-password-length", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/modify-an-object-label.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/modify-an-object-label", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/modify-firmware-environment-values", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-list-manager-policies", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/password-policy.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/profile-single-process.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/profile-single-process", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/profile-system-performance.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/profile-system-performance", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/remove-computer-from-docking-station", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/replace-a-process-level-token", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/restore-files-and-directories", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/security-options.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-options", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/security-policy-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/shut-down-the-system.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/shut-down-the-system", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/synchronize-directory-service-data", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-settings-optional-subsystems", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment", + "redirect_document_id": false + }, + { + "source_path": "windows/security/cloud-security/index.md", + "redirect_url": "/windows/security/cloud-services", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment", + "redirect_document_id": false } ] -} \ No newline at end of file +} diff --git a/.openpublishing.redirection.windows-whats-new.json b/.openpublishing.redirection.windows-whats-new.json index 9e05719ebc7..b72627e6c62 100644 --- a/.openpublishing.redirection.windows-whats-new.json +++ b/.openpublishing.redirection.windows-whats-new.json @@ -159,11 +159,21 @@ "source_path":"windows/whats-new/whats-new-windows-10-version-20H2.md", "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-20H2", "redirect_document_id":false - }, - { - "source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md", - "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1", - "redirect_document_id":false - } - ] - } + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-21H2.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H2", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/ltsc/index.yml", + "redirect_url":"/windows/whats-new/", + "redirect_document_id":false + } + ] +} diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md deleted file mode 100644 index e367821ba4d..00000000000 --- a/education/includes/education-content-updates.md +++ /dev/null @@ -1,28 +0,0 @@ - - - - -## Week of January 29, 2024 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 1/30/2024 | [Microsoft 365 Education Documentation](/education/index) | modified | - - -## Week of January 15, 2024 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 1/16/2024 | Deployment recommendations for school IT administrators | removed | -| 1/16/2024 | Microsoft Entra join with Set up School PCs app | removed | -| 1/16/2024 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified | -| 1/16/2024 | Set up student PCs to join domain | removed | -| 1/16/2024 | Provision student PCs with apps | removed | -| 1/16/2024 | Set up Windows devices for education | removed | -| 1/16/2024 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified | -| 1/16/2024 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | modified | -| 1/16/2024 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | modified | -| 1/16/2024 | [Set up Microsoft Entra ID](/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id) | modified | -| 1/16/2024 | Windows 10 editions for education customers | removed | diff --git a/education/index.yml b/education/index.yml index adc8d30041b..1da8d77fdb9 100644 --- a/education/index.yml +++ b/education/index.yml @@ -8,7 +8,7 @@ metadata: title: Microsoft 365 Education Documentation description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.topic: hub-page - ms.date: 11/06/2023 + ms.date: 07/22/2024 productDirectory: title: For IT admins diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index caa984b456f..072a760e050 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -1,7 +1,7 @@ --- title: Upgrade Windows Home to Windows Education on student-owned devices description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. -ms.date: 08/07/2023 +ms.date: 04/10/2024 ms.topic: how-to author: scottbreenmsft ms.author: scbree @@ -16,43 +16,42 @@ ms.collection: ## Overview -Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning. +Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning. > [!NOTE] > To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. -IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The table below provides the recommended method depending on the scenario. +IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). The following table provides the recommended method depending on the scenario. | Method | Product key source | Device ownership | Best for | |-|-|-|-| | MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM | -| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent or guardian | | Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot | These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation). ## User Notifications -Users aren't notified their device has been or will be upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM will initiate an upgrade to Windows Education and this upgrade will give the institution extra capabilities, such as installing applications. +Users aren't notified when their device is upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM initiates an upgrade to Windows Education, and that the upgrade gives the institution extra capabilities, such as installing applications. Device users can disconnect from MDM in the Settings app, to prevent further actions from being taken on their personal device. For instructions on disconnecting from MDM, see [Remove your Windows device from management](/mem/intune/user-help/unenroll-your-device-from-intune-windows). ## Why upgrade student-owned devices from Windows Home to Windows Education? -Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are: +Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles, and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are: - [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications. - [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization. -A full list of CSPs are available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows). +A full list of CSPs is available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows). ## Requirements for using a MAK to upgrade from Windows Home to Windows Education -- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center. +- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center - A qualifying Windows subscription such as: - - Windows A3, or; - - Windows A5. -- A pre-installed and activated instance of Windows 10 Home or Windows 11 Home. + - Windows A3, or + - Windows A5 +- A preinstalled and activated instance of Windows 10 Home or Windows 11 Home You can find more information in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/productoffering). @@ -67,53 +66,44 @@ IT admins with access to the VLSC or the Microsoft 365 Admin Center, can find th It's critical that MAKs are protected whenever they're used. The following processes provide the best protection for a MAK being applied to a device: -- Provisioning package by institution approved staff; -- Manual entry by institution approved staff (don't distribute the key via email); -- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp); +- Provisioning package by institution approved staff +- Manual entry by institution approved staff (don't distribute the key via email) +- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) > [!IMPORTANT] > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students. -- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager. +- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades). -## Downgrading, resetting, reinstalling and graduation rights +## Downgrading, resetting, reinstalling, and graduation rights After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system. -The table below highlights the differences by upgrade product key type: - -| Product Key Type | Downgrade (in-place) | Reset | Student reinstall | -|-|-|-|-| -| VLSC | No | Yes | No | -| Kivuto OnTheHub | No | Yes | Yes | - ### Downgrade It isn't possible to downgrade to *Windows Home* from *Windows Education* without reinstalling Windows. ### Reset -If the computer is reset, Windows Education will be retained. +If the computer is reset, Windows Education is retained. ### Reinstall -The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) will be used to activate Windows. - -If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key prior to graduation. +The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) is used to activate Windows. For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886). ### Resale -The license will remain installed on the device if resold and the same conditions above apply for downgrade, reset or reinstall. +The license remains installed on the device if resold and the same conditions apply for downgrade, reset, or reinstall. ## Step by step process for customers to upgrade student-owned devices using Microsoft Intune -These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education. +These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education. ### Step 1: Create a Windows Home edition filter -These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). +These steps configure a filter that only applies to devices running the *Windows Home edition*, ensuring that only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). - Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431) - Select **Tenant administration** > **Filters** @@ -130,7 +120,7 @@ These steps configure a filter that will only apply to devices running the *Wind > [!NOTE] > Ensure you've selected OR as the operator in the right And/Or column - + :::image type="content" source="images/change-home-to-edu-windows-home-edition-intune-filter.png" alt-text="Example of configuring the Windows Home filter"::: - Optionally select scope tags as required @@ -153,14 +143,14 @@ These steps create and assign a Windows edition upgrade policy. For more informa - Change **Edition to upgrade** to **Windows 10/11 Education** - In the **Product Key**, enter your *Windows 10/11 Education MAK* - Select **Next** - + :::image type="content" source="images/change-home-to-edu-windows-edition-upgrade-policy.png" alt-text="Example of configuring the Windows upgrade policy in Microsoft Intune"::: - Optionally select scope tags as required and select **Next** -- On the **assignments** screen; +- On the **assignments** screen: - Select **Add all devices** - Next to **All devices**, select **Edit filter** - + > [!NOTE] > You can also target other security groups that contain a smaller scope of users or devices and apply the filter rather than All devices. @@ -171,7 +161,7 @@ These steps create and assign a Windows edition upgrade policy. For more informa - Don't configure any applicability rules and select **next** - Review your settings and select **Create** -The edition upgrade policy will now apply to all existing and new Windows Home edition devices targeted. +The edition upgrade policy applies to all existing and new Windows Home edition devices targeted. ### Step 3: Report on device edition @@ -191,11 +181,11 @@ You can check the Windows versions of managed devices in the Microsoft Intune ad Increases to MAK Activation quantity can be requested by contacting [VLSC support](/licensing/contact-us) and may be granted by exception. A request can be made by accounts with the VLSC Administrator, Key Administrator, or Key Viewer permissions. The request should include the following information: -- Agreement/Enrollment Number or License ID and Authorization. -- Product Name (includes version and edition). -- Last five characters of the product key. -- The number of host activations required. -- Business Justification or Reason for Deployment. +- Agreement/Enrollment Number or License ID and Authorization +- Product Name (includes version and edition) +- Last five characters of the product key +- The number of host activations required +- Business Justification or Reason for Deployment ### What is a firmware-embedded activation key? @@ -205,7 +195,7 @@ A firmware-embedded activation key is a Windows product key that is installed in (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` -If the device has a firmware-embedded activation key, it will be displayed in the output. Otherwise, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. +If the device has a firmware-embedded activation key, it's displayed in the output. Otherwise the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later have a firmware-embedded key. A firmware embedded key is only required to upgrade using Subscription Activation, a MAK upgrade doesn't require the firmware embedded key. @@ -215,14 +205,6 @@ A multiple activation key activates either individual computers or a group of co | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation | |-|-|:-:|:-:|:-:|:-:| -| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | | -| **Microsoft Entra join** | Organization | X | X | | X | -| **Microsoft Entra hybrid join** | Organization | X | X | X | X | - -## Related links - -- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades) -- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation) -- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/) -- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818) -- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education) +| **Workplace join (add work or school account)** | Personal (or student-owned) | ✅ | | | | +| **Microsoft Entra join** | Organization | ✅ | ✅ | | ✅ | +| **Microsoft Entra hybrid join** | Organization | ✅ | ✅ | ✅ | ✅ | diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 75606b7b94a..54bf350d777 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,15 +1,15 @@ --- title: Configure federation between Google Workspace and Microsoft Entra ID description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID. -ms.date: 09/11/2023 +ms.date: 04/10/2024 ms.topic: how-to appliesto: --- # Configure federation between Google Workspace and Microsoft Entra ID -This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\ -Once configured, users will be able to sign in to Microsoft Entra ID with their Google Workspace credentials. +This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Microsoft Entra ID.\ +Once configured, users can sign in to Microsoft Entra ID with their Google Workspace credentials. ## Prerequisites @@ -18,7 +18,7 @@ To configure Google Workspace as an IdP for Microsoft Entra ID, the following pr 1. A Microsoft Entra tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*) - If the federated domain hasn't yet been added to Microsoft Entra ID, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace - Learn how to [Add your custom domain name using the Microsoft Entra admin center](/azure/active-directory/fundamentals/add-custom-domain) -1. Access to Microsoft Entra ID with an account with the *Global Administrator* role +1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator) 1. Access to Google Workspace with an account with *super admin* privileges To test federation, the following prerequisites must be met: @@ -27,11 +27,11 @@ To test federation, the following prerequisites must be met: > [!IMPORTANT] > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID. > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id). -1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example: +1. Individual Microsoft Entra accounts already created: each Google Workspace user requires a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example: - School Data Sync (SDS) - Microsoft Entra Connect Sync for environment with on-premises AD DS - PowerShell scripts that call the Microsoft Graph API - - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072) + - Provisioning tools offered by the IdP - Google Workspace offers [autoprovisioning](https://support.google.com/a/answer/7365072) @@ -42,12 +42,12 @@ To test federation, the following prerequisites must be met: 1. Select **Add app > Search for apps** and search for *microsoft* 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: -1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Microsoft Entra ID later +1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later 1. On the **Service provider detail's** page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you may need to adjust the **Name ID** mapping.\ - If using Google auto-provisioning, select **Basic Information > Primary email** + - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\ + If using Google autoprovisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes @@ -56,7 +56,7 @@ To test federation, the following prerequisites must be met: |Basic Information: Primary Email|App attributes: IDPEmail| > [!IMPORTANT] - > You must ensure that your the Microsoft Entra user accounts email match those in your Google Workspace. + > You must ensure that your Microsoft Entra user account's email matches that in your Google Workspace. 1. Select **Finish** @@ -73,7 +73,7 @@ Now that the app is configured, you must enable it for the users in Google Works ## Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace The configuration of Microsoft Entra ID consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\ -Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with the *Global Administrator* role. +Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, sign in as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator) ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force @@ -136,7 +136,7 @@ AdditionalProperties : {} From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account: 1. As username, use the email as defined in Google Workspace -1. The user will be redirected to Google Workspace to sign in -1. After Google Workspace authentication, the user will be redirected back to Microsoft Entra ID and signed in +1. The user is redirected to Google Workspace to sign in +1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity."::: diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md deleted file mode 100644 index d9b96510a0f..00000000000 --- a/education/windows/configure-windows-for-education.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -title: Windows 10 configuration recommendations for education customers -description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- -# Windows 10 configuration recommendations for education customers - -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). - -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). - -In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready. - -| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | -| --- | --- | --- | --- | --- | --- | -| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set | -| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set | -| **Cortana** | **AllowCortana** | Disables Cortana

* Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | -| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set | -| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

* Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set | - - -## Recommended configuration -It's easy to be education ready when using Microsoft products. We recommend the following configuration: - -1. Use an Office 365 Education tenant. - - With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). - -2. Activate Intune for Education in your tenant. - - You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html). - -3. On PCs running Windows 10, version 1703: - 1. Provision the PC using one of these methods: - * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. - * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. - 2. Join the PC to Microsoft Entra ID. - * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID. - * Manually Microsoft Entra join the PC during the Windows device setup experience. - 3. Enroll the PCs in MDM. - * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. - 4. Ensure that needed assistive technology apps can be used. - * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. - -4. Distribute the PCs to students. - - Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge. - -5. Ongoing management through Intune for Education. - - You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs. - -## Configuring Windows -You can configure Windows through provisioning or management tools including industry standard MDM. -- Provisioning - A one-time setup process. -- Management - A one-time and/or ongoing management of a PC by setting policies. - -You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready: -- [Set up School PCs](use-set-up-school-pcs-app.md) -- [Intune for Education](/intune-education/available-settings) - -## AllowCortana -**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). - -> [!NOTE] -> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. - -Use one of these methods to set this policy. - -### MDM -- Intune for Education automatically sets this policy in the **All devices** group policy configuration. -- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. - - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana - - Data type: Integer - - Value: 0 - -### Group Policy -Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**. - -### Provisioning tools -- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. - -## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). - -Use one of these methods to set this policy. - -### MDM -- Intune for Education automatically sets this policy in the **All devices** group policy configuration. -- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. - - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies - - Data type: Boolean - - Value: true - - ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) - -### Group Policy -**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). - -For example: - -- Open PowerShell as an administrator and enter the following: - - ``` - $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" - - $sharedPC.SetEduPolicies = $True - - Set-CimInstance -CimInstance $sharedPC - - Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass - ``` - -### Provisioning tools -- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. - - ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png) - -## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. - -### Configurations - - - -#### Microsoft Entra ID and Office 365 Education tenant -To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps: - -1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590). -2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant). -3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. -4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC. -> [!NOTE] -> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time. - -#### Office 365 sign-in to Bing -To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps: - -1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. -2. Have students sign into Bing with their Office 365 account. - - -## Related topics -[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 3ac82d2b7c9..889b10b3938 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -1,7 +1,7 @@ --- title: Configure Stickers for Windows 11 SE description: Learn about the Stickers feature and how to configure it via Intune and provisioning package. -ms.date: 11/09/2023 +ms.date: 04/10/2024 ms.topic: how-to appliesto: - ✅ Windows 11 SE @@ -25,7 +25,7 @@ With Stickers, students feel more attached to the device as they feel as if it's ## Enable Stickers -Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG). +Stickers aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG). #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -36,7 +36,6 @@ Stickers aren't enabled by default. Follow the instructions below to configure y |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] > [!TIP] > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) @@ -52,32 +51,26 @@ Content-Type: application/json #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) -To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings: +[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)] | Setting | |--------| |
  • Path: **`Education/AllowStickers`**
  • Value: **True**
    • | -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. - +[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)] --- ## How to use Stickers -Once the Stickers feature is enabled, the sticker editor can be opened by either: +Once the Stickers feature is enabled, open sticker editor by either: - using the contextual menu on the desktop and selecting the option **Add or edit stickers** - opening the Settings app > **Personalization** > **Background** > **Add stickers** :::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true"::: -Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch. +Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned, or deleted from the desktop by using the mouse, keyboard, or touch. :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true"::: Select the *X button* at the top of the screen to save your progress and close the sticker editor. - -[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 - -[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package -[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package \ No newline at end of file diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index ba510327cf5..21664c95bd4 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -26,7 +26,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local Follow the instructions below to configure your devices, selecting the option that best suits your needs. -#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) +# [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) You can use Intune for Education or a custom profile in Microsoft Intune: @@ -68,9 +68,8 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] -#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) +# [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer: @@ -85,7 +84,7 @@ Create a provisioning package using the Set up School PCs app, configuring the s ### Create a provisioning package using Windows Configuration Designer -[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: +[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)] | Setting | |--------| @@ -99,22 +98,11 @@ Create a provisioning package using the Set up School PCs app, configuring the s :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. +[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)] -#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) +# [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) -Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). - -> [!TIP] -> PowerShell scripts can be executed as scheduled tasks via Group Policy. - -> [!IMPORTANT] -> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. -> -> To test a PowerShell script, you can: -> 1. [Download the psexec tool](/sysinternals/downloads/psexec) -> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session +[!INCLUDE [powershell-wmi-bridge-1](../../includes/configure/powershell-wmi-bridge-1.md)] Edit the following sample PowerShell script to: @@ -171,7 +159,9 @@ $cimObject.HideFastUserSwitching = 1 Set-CimInstance -CimInstance $cimObject ``` -#### [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings) +[!INCLUDE [powershell-wmi-bridge-2](../../includes/configure/powershell-wmi-bridge-2.md)] + +# [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings) To create a local account, and configure Take a Test in kiosk mode using the Settings app: diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index c30c7fd79a0..b0d6efa6390 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -1,7 +1,7 @@ --- title: Configure education themes for Windows 11 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package. -ms.date: 09/11/2023 +ms.date: 04/10/2024 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 3d414e043d5..aca908bb450 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Learn how federated sign-in in Windows works and how to configure it. -ms.date: 09/11/2023 +ms.date: 06/03/2024 ms.topic: how-to appliesto: - ✅ Windows 11 @@ -87,7 +87,7 @@ Review the following instructions to configure your devices using either Microso |--|--|--| | Education | Is Education Environment | Enabled | | Federated Authentication | Enable Web Sign In For Primary User | Enabled | -| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` | +| Authentication | Configure Web Sign In Allowed Urls | Enter the list of domains, with each URL in a separate row. For example:
    - `samlidp.clever.com`
    - `clever.com`
    - `mobile-redirector.clever.com` | | Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` | [!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)] @@ -134,7 +134,7 @@ Review the following instructions to configure your shared devices using either | Education | Is Education Environment | Enabled | | SharedPC | Enable Shared PC Mode With OneDrive Sync | True | | Authentication | Enable Web Sign In | Enabled | -| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` | +| Authentication | Configure Web Sign In Allowed Urls | Enter the list of domains, with each URL in a separate row. For example:
    - `samlidp.clever.com`
    - `clever.com`
    - `mobile-redirector.clever.com` | | Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` | [!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)] diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 4e8222d98d0..d5a0cb61fae 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,7 +2,7 @@ title: Get and deploy Minecraft Education description: Learn how to obtain and distribute Minecraft Education to Windows devices. ms.topic: how-to -ms.date: 09/11/2023 +ms.date: 04/10/2024 ms.collection: - education - tier2 @@ -16,15 +16,15 @@ Minecraft Education is a game-based platform that inspires creative and inclusiv **Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM. -**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.  +**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.  ## Minecraft Education key features -- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments  -- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution  -- Immersive Reader helps players read and translate text  -- Camera and Book & Quill items allow documentation and export of in-game creations  -- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls  +- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments  +- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution  +- Immersive Reader helps players read and translate text  +- Camera and Book & Quill items allow documentation and export of in-game creations  +- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls  ## Try or purchase Minecraft Education @@ -34,7 +34,7 @@ Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 3 When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Microsoft Entra tenant. If you don't have a Microsoft Entra tenant: -- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant +- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant - Non-Microsoft-verified academic organizations can set up a free Microsoft Entra tenant when they [purchase Minecraft Education commercial licenses][EDU-4] ### Direct purchase @@ -78,7 +78,7 @@ To pay with an invoice: 1. During the purchase, select **Add a new payment method.** 2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization. -For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1]. +For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1]. ## Assign Minecraft Education licenses diff --git a/education/windows/images/setedupolicies_omauri.png b/education/windows/images/setedupolicies_omauri.png deleted file mode 100644 index eb3d9e216c5..00000000000 Binary files a/education/windows/images/setedupolicies_omauri.png and /dev/null differ diff --git a/education/windows/images/wcd/setedupolicies.png b/education/windows/images/wcd/setedupolicies.png deleted file mode 100644 index e240063f683..00000000000 Binary files a/education/windows/images/wcd/setedupolicies.png and /dev/null differ diff --git a/education/windows/images/wcd/wcd_settings_assignedaccess.png b/education/windows/images/wcd/wcd_settings_assignedaccess.png deleted file mode 100644 index 443a5d0688d..00000000000 Binary files a/education/windows/images/wcd/wcd_settings_assignedaccess.png and /dev/null differ diff --git a/education/windows/index.yml b/education/windows/index.yml index d14d00dd632..1c2008d3c90 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -9,20 +9,19 @@ metadata: ms.collection: - education - tier1 - - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 10/30/2023 + ms.date: 07/22/2024 highlightedContent: items: - title: Get started with Windows 11 SE itemType: get-started url: windows-11-se-overview.md - - title: Windows 11, version 22H2 + - title: Windows 11, version 23H2 itemType: whats-new - url: /windows/whats-new/whats-new-windows-11-version-22H2 + url: /windows/whats-new/whats-new-windows-11-version-23h2 - title: Explore all Windows trainings and learning paths for IT pros itemType: learn url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator @@ -63,10 +62,8 @@ productDirectory: - title: Learn how to manage Windows devices imageSrc: /media/common/i_management.svg links: - - url: tutorial-school-deployment/manage-overview.md + - url: /mem/intune/industry/education/tutorial-school-deployment/manage-overview text: Manage devices with Microsoft Intune - - url: tutorial-school-deployment/manage-surface-devices.md - text: Management functionalities for Surface devices - url: /education/windows/get-minecraft-for-education text: Get and deploy Minecraft Education - url: /windows/client-management @@ -139,4 +136,4 @@ additionalContent: - text: Microsoft Intune community url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune - text: Microsoft Support community - url: https://answers.microsoft.com/windows/forum \ No newline at end of file + url: https://answers.microsoft.com/ \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 6086d0f017f..8b49992af01 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -1,7 +1,7 @@ --- title: What's in Set up School PCs provisioning package description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app. -ms.date: 06/02/2023 +ms.date: 04/10/2024 ms.topic: reference appliesto: - ✅ Windows 10 @@ -34,15 +34,15 @@ For a more detailed look at the policies, see the Windows article [Set up shared | Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | | Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. | | Enable account manager | True | Enables automatic account management. | -| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. | +| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After the threshold, if an account hasn't signed in, its user profile is deleted. | | Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | | Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | | Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | | Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | -| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | +| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1,024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | | Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | | Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | -| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | +| Sleep timeout | 3,600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3,600 seconds (1 hour), is applied. | ## MDM and local group policies @@ -58,7 +58,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | | Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | | Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | -| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | +| Allow auto update | 4 - Autoinstalls and restarts without device-user control | When an auto update is available, it autoinstalls and restarts the device without any input or action from the device user. | | Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | | Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | | Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | @@ -70,7 +70,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | | Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | | Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | -| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | +| Import Microsoft Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | | Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | | Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | | Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | @@ -112,7 +112,7 @@ The time it takes to install a package on a device depends on the: - Number of policies and apps within the package - Other configurations made to the device -Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision. +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations provisions the fastest. A package that removes preinstalled apps, through CleanPC, will take longer to provision. | Configurations | Connection type | Estimated provisioning time | |--|--|--| diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index d9663d6d32d..8c46ac4b935 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -1,7 +1,7 @@ --- title: Take tests and assessments in Windows description: Learn about the built-in Take a Test app for Windows and how to use it. -ms.date: 03/31/2023 +ms.date: 02/29/2024 ms.topic: how-to --- @@ -48,7 +48,7 @@ This is an ideal option for teachers who want to create a link to a specific ass For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test. The URL must be in the following format: -``` +```text ms-edu-secureassessment:#enforceLockdown ``` diff --git a/education/windows/toc.yml b/education/windows/toc.yml index 667c2ddc07a..62e4c0d85cb 100644 --- a/education/windows/toc.yml +++ b/education/windows/toc.yml @@ -4,8 +4,6 @@ items: - name: Tutorials expanded: true items: - - name: Deploy and manage Windows devices in a school - href: tutorial-school-deployment/toc.yml - name: Deploy applications to Windows 11 SE href: tutorial-deploy-apps-winse/toc.yml - name: Concepts diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md index 73d202a2020..7f2a9f92075 100644 --- a/education/windows/tutorial-deploy-apps-winse/considerations.md +++ b/education/windows/tutorial-deploy-apps-winse/considerations.md @@ -1,7 +1,7 @@ --- title: Important considerations before deploying apps with managed installer description: Learn about important aspects to consider before deploying apps with managed installer. -ms.date: 06/19/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md index 8841f736bdc..26e022bbbf8 100644 --- a/education/windows/tutorial-deploy-apps-winse/create-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md @@ -1,7 +1,7 @@ --- title: Create policies to enable applications description: Learn how to create policies to enable the installation and execution of apps on Windows SE. -ms.date: 06/19/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md index bc3bd280042..62442e2058d 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md @@ -1,7 +1,7 @@ --- title: Applications deployment considerations description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them. -ms.date: 05/23/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md index 330d85b61ef..63f61438534 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md @@ -1,7 +1,7 @@ --- title: Deploy policies to enable applications description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices. -ms.date: 05/23/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md index ff7cce6a5fb..1c09685eed2 100644 --- a/education/windows/tutorial-deploy-apps-winse/index.md +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -1,7 +1,7 @@ --- title: Deploy applications to Windows 11 SE with Intune description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps. -ms.date: 06/07/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md index 631b12b06ed..38a3ee9d4c7 100644 --- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md +++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md @@ -1,7 +1,7 @@ --- title: Troubleshoot app deployment issues in Windows SE description: Troubleshoot common issues when deploying apps to Windows SE devices. -ms.date: 06/19/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later @@ -45,10 +45,10 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes ``` citool.exe -lp ``` - + - For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true** - For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true** - + :::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy."::: 1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1] diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md index a3e128a92e4..211638de729 100644 --- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md @@ -1,7 +1,7 @@ --- title: Validate the applications deployed to Windows SE devices description: Learn how to validate the applications deployed to Windows SE devices via Intune. -ms.date: 06/19/2023 +ms.date: 04/10/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later @@ -65,11 +65,11 @@ To check the installation status of an app from the Intune portal: 1. Select **App > All apps** 1. Select the application you want to check 1. From the **Overview** page, you can verify the overall installation status - + :::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png"::: 1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure - + :::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png"::: > [!NOTE] diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md deleted file mode 100644 index 25171ff770a..00000000000 --- a/education/windows/tutorial-school-deployment/configure-device-apps.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Configure applications with Microsoft Intune -description: Learn how to configure applications with Microsoft Intune in preparation for device deployment. -ms.date: 01/16/2024 -ms.topic: tutorial ---- - -# Configure applications with Microsoft Intune - -With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education. - -Applications can be assigned to groups: - -- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into -- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in - -> [!div class="checklist"] ->In this section you will: -> -> - Add apps to Intune for Education -> - Assign apps to groups -> - Review some considerations for Windows 11 SE devices - -## Add apps to Intune for Education - -Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**. - -:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true"::: - -### Desktop apps - -The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. - -### Web apps - -To create web applications in Intune for Education: - -1. Sign in to the Intune for Education portal -1. Select **Apps** -1. Select **New app** > **New web app** -1. Provide a URL for the web app, a name and, optionally, an icon and description -1. Select **Save** - -For more information, see [Add web apps][INT-2]. - -## Assign apps to groups - -To assign applications to a group of users or devices: - -1. Sign in to the Intune for Education portal -1. Select **Groups** > Pick a group to manage -1. Select **Apps** -1. Select either **Web apps** or **Windows apps** -1. Select the apps you want to assign to the group > Save - -## Considerations for Windows 11 SE - -Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC). -WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy. - -To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1]. - -## Next steps - -With the applications configured, you can now deploy students' and teachers' devices. - -> [!div class="nextstepaction"] -> [Next: Deploy devices >](enroll-overview.md) - - - -[EDU-1]: ../tutorial-deploy-apps-winse/index.md - -[MEM-1]: /mem/intune/apps/apps-win32-add - -[INT-1]: /intune-education/express-configuration-intune-edu -[INT-2]: /intune-education/add-web-apps-edu \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md deleted file mode 100644 index 5733d483e94..00000000000 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ /dev/null @@ -1,133 +0,0 @@ ---- -title: Configure and secure devices with Microsoft Intune -description: Learn how to configure policies with Microsoft Intune in preparation for device deployment. -ms.date: 01/16/2024 -ms.topic: tutorial -ms.collection: essentials-manage ---- - -# Configure and secure devices with Microsoft Intune - -With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies. -For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel. - -Settings can be assigned to groups: - -- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to -- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices - -There are two ways to manage settings in Intune for Education: - -- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments -- **Group settings.** This option is used to configure all settings that are offered by Intune for Education - -> [!NOTE] -> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices. - - -> [!div class="checklist"] ->In this section you will: -> -> - Configure settings with Express Configuration -> - Configure group settings -> - Create Windows Update policies -> - Configure security policies - -## Configure settings with Express Configuration - -With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools. - -> [!TIP] -> To learn more, and practice step-by-step Express Configuration in Intune for Education, try this interactive demo. - -## Configure group settings - -Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings: - -1. Sign in to the Intune for Education portal -1. Select **Groups** > Pick a group to manage -1. Select **Windows device settings** -1. Expand the different categories and review information about individual settings - -Settings that are commonly configured for student devices include: - -- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7] -- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8] -- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9] - -For more information, see [Windows device settings in Intune for Education][INT-3]. - -## Create Windows Update policies - -It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education. - -To create a Windows Update policy: - -1. Select **Groups** > Pick a group to manage -1. Select **Windows device settings** -1. Expand the category **Update and upgrade** -1. Configure the required settings as needed - -For more information, see [Updates and upgrade][INT-6]. - -> [!NOTE] -> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information: -> - [What is Windows Update for Business?][WIN-1] -> - [Manage Windows software updates in Intune][MEM-1] - -## Configure security policies - -It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows. -Intune for Education provides different settings to secure devices. - -To create a security policy: - -1. Select **Groups** > Pick a group to manage -1. Select **Windows device settings** -1. Expand the category **Security** -1. Configure the required settings as needed, including - - Windows Defender - - Windows Encryption - - Windows SmartScreen - -For more information, see [Security][INT-4]. - -> [!NOTE] -> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information: -> - [Antivirus][MEM-2] -> - [Disk encryption][MEM-3] -> - [Firewall][MEM-4] -> - [Endpoint detection and response][MEM-5] -> - [Attack surface reduction][MEM-6] -> - [Account protection][MEM-7] - ---- - -## Next steps - -With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices. - -> [!div class="nextstepaction"] -> [Next: Configure applications >](configure-device-apps.md) - - - -[EDU-1]: /education/windows/windows-11-se-overview - -[INT-2]: /intune-education/express-configuration-intune-edu -[INT-3]: /intune-education/all-edu-settings-windows -[INT-4]: /intune-education/all-edu-settings-windows#security -[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade -[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop -[INT-8]: /intune-education/add-wi-fi-profile -[INT-9]: /intune-education/take-a-test-profiles - -[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb - -[MEM-1]: /mem/intune/protect/windows-update-for-business-configure -[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy -[MEM-3]: /mem/intune/protect/encrypt-devices -[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy -[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy -[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy -[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md deleted file mode 100644 index 27ad5f3a8d6..00000000000 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Configure devices with Microsoft Intune -description: Learn how to configure policies and applications in preparation for device deployment. -ms.date: 11/09/2023 -ms.topic: tutorial -ms.collection: essentials-manage ---- - -# Configure settings and applications with Microsoft Intune - -Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune. -Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices. -With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them. - - -> [!div class="checklist"] ->In this section you will: -> -> - Create groups -> - Create and assign policies to groups -> - Create and assign applications to groups - -## Create groups - -By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need. - -By default, Intune for Education creates two default groups: *All devices* and *All users*. -Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school. - -:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true"::: - -Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to. - -Two group types can be created: - -- **Assigned groups** are used when you want to manually add users or devices to a group -- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups - -> [!TIP] -> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution. - -For more information, see: - -- [Create groups in Intune for Education][EDU-1] -- [Manually add or remove users and devices to an existing assigned group][EDU-2] -- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3] - -________________________________________________________ - -## Next steps - -With the groups created, you can configure policies and applications to deploy to your groups. - -> [!div class="nextstepaction"] -> [Next: Configure policies >](configure-device-settings.md) - - - -[EDU-1]: /intune-education/create-groups -[EDU-2]: /intune-education/edit-groups-intune-for-edu -[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md deleted file mode 100644 index 23985289cf9..00000000000 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ /dev/null @@ -1,148 +0,0 @@ ---- -title: Enrollment in Intune with Windows Autopilot -description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot. -ms.date: 01/16/2024 -ms.topic: tutorial ---- - -# Windows Autopilot - -Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices. - -Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services. - -From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated. - -## Prerequisites - -Before setting up Windows Autopilot, consider these prerequisites: - -- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot -- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices -- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1] - -> [!NOTE] -> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1]. - -## Register devices to Windows Autopilot - -Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot: - -- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2] - > [!NOTE] - > For **Microsoft Surface registration**, collect the details shown in this [documentation table][SURF-1] and follow the instruction to submit the request form to Microsoft Support. -- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5] - > [!TIP] - > Try the Microsoft Partner Center clickable demo, which provides detailed steps to establish a partner relationship and register devices. -- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6] - > [!IMPORTANT] - > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices. - -## Create groups for Autopilot devices - -**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices. -For this task, it's recommended to create dynamic device groups using Autopilot attributes. - -Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag: - -1. Sign in to the Intune for Education portal -1. Select **Groups** > **Create group** -1. Specify a **Group name** and select **Dynamic** -1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value -1. Select **Create group** - :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true"::: - -More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3]. - -> [!TIP] -> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings. - -## Create Autopilot deployment profiles - -For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices. -A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be: - -1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE -1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode - -To create an Autopilot deployment profile: - -1. Sign in to the Intune for Education portal -1. Select **Groups** > Select a group from the list -1. Select **Windows device settings** -1. Expand the **Enrolment** category -1. From **Configure Autopilot deployment profile for device** select **User-driven** -1. Ensure that **User account type** is configured as **Standard** -1. Select **Save** - -While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4]. - -### Configure an Enrollment Status Page - -An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. - -:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false"::: - -> [!NOTE] -> Some Windows Autopilot deployment profiles **require** the ESP to be configured. - -To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune. - -> [!TIP] -> While testing the deployment process, you can configure the ESP to: -> - allow the reset of the devices in case the installation fails -> - allow the use of the device if installation error occurs -> -> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing. - -For more information, see [Set up the Enrollment Status Page][MEM-3]. - -> [!CAUTION] -> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3]. - -### Autopilot end-user experience - -Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection. -When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows: - -1. Identify the language and region -1. Select the keyboard layout and decide on the option for a second keyboard layout -1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step -1. Apply updates: the device will look for and apply required updates -1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur -1. The user authenticates to Microsoft Entra ID, using the school account -1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured - -> [!NOTE] -> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection. - -:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: - -________________________________________________________ -## Next steps - -With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status. - -> [!div class="nextstepaction"] -> [Next: Manage devices >](manage-overview.md) - - - -[MEM-1]: /mem/intune/fundamentals/intune-endpoints -[MEM-2]: /mem/autopilot/oem-registration -[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune -[MEM-4]: /mem/autopilot/profiles -[MEM-5]: /mem/autopilot/partner-registration -[MEM-6]: /mem/autopilot/add-devices - -[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements - -[MSFT-1]: https://partner.microsoft.com/ - -[INT-1]: /intune/network-bandwidth-use - -[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 - -[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page - -[SURF-1]: /surface/surface-autopilot-registration-support diff --git a/education/windows/tutorial-school-deployment/enroll-entra-join.md b/education/windows/tutorial-school-deployment/enroll-entra-join.md deleted file mode 100644 index e599fca7ac4..00000000000 --- a/education/windows/tutorial-school-deployment/enroll-entra-join.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Enrollment in Intune with standard out-of-box experience (OOBE) -description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune. -ms.date: 11/09/2023 -ms.topic: tutorial ---- - -# Automatic Intune enrollment via Microsoft Entra join - -If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune. -With this process, no advance preparation is needed: - -1. Follow the on-screen prompts for region selection, keyboard selection, and network connection -1. Wait for updates. If any updates are available, they'll be installed at this time - :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true"::: -1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account - :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true"::: -1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device - -> [!IMPORTANT] -> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot. - -:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: - ---- - -## Next steps - -With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status. - -> [!div class="nextstepaction"] -> [Next: Manage devices >](manage-overview.md) diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md deleted file mode 100644 index 8410be0db99..00000000000 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Device enrollment overview -description: Learn about the different options to enroll Windows devices in Microsoft Intune -ms.date: 11/09/2023 -ms.topic: overview ---- - -# Device enrollment overview - -There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune: - -- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices -- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience -- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users - -## Choose the enrollment method - -**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments. -This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies. - -:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false"::: - -Select one of the following options to learn the next steps about the enrollment method you chose: -> [!div class="op_single_selector"] -> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md) -> - [Bulk enrollment with provisioning packages](enroll-package.md) -> - [Enroll devices with Windows Autopilot](enroll-autopilot.md) - - - -[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md deleted file mode 100644 index 22f7c70443b..00000000000 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Enrollment of Windows devices with provisioning packages -description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer. -ms.date: 11/09/2023 -ms.topic: tutorial ---- - -# Enrollment with provisioning packages - -Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are: - -- There are no particular hardware dependencies on the devices to complete the enrollment process -- Devices don't need to be registered in advance -- Enrollment is a simple task: just open a provisioning package and the process is automated - -You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections. - -## Set up School PCs - -With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process. - -### Create a provisioning package - -The Set Up School PCs app guides you through configuration choices for school-owned devices. - -:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false"::: - -> [!CAUTION] -> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page. - -Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios. - -For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1]. - -> [!TIP] -> To learn more and practice with Set up School PCs, try the Set Up School PCs demo, which provides detailed steps to create a provisioning package and deploy a device. -## Windows Configuration Designer - -Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package. - -:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false"::: - -For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use. - -## Enroll devices with the provisioning package - -To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune. -All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use. - -:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false"::: - ---- - -## Next steps - -With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status. - -> [!div class="nextstepaction"] -> [Next: Manage devices >](manage-overview.md) - - - -[EDU-1]: /education/windows/use-set-up-school-pcs-app - -[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd diff --git a/education/windows/tutorial-school-deployment/images/advanced-support.png b/education/windows/tutorial-school-deployment/images/advanced-support.png deleted file mode 100644 index d7655d1616a..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/advanced-support.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/device-lifecycle.png b/education/windows/tutorial-school-deployment/images/device-lifecycle.png deleted file mode 100644 index ab14cdb9f07..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/device-lifecycle.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png deleted file mode 100644 index 3386f7673a3..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile.png b/education/windows/tutorial-school-deployment/images/dfci-profile.png deleted file mode 100644 index d77dc06f3dd..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/dfci-profile.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/enroll.png b/education/windows/tutorial-school-deployment/images/enroll.png deleted file mode 100644 index 352cda95093..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/enroll.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png deleted file mode 100644 index 69b22745a6e..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png deleted file mode 100644 index 3f031053d59..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/entra-branding.png b/education/windows/tutorial-school-deployment/images/entra-branding.png deleted file mode 100644 index 7201c7386da..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/entra-branding.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/entra-device-settings.png b/education/windows/tutorial-school-deployment/images/entra-device-settings.png deleted file mode 100644 index ef18b7391ff..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/entra-device-settings.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png deleted file mode 100644 index 4cf21148d16..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png deleted file mode 100644 index 20b05ad9d7a..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png deleted file mode 100644 index ca344cf5cfa..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-apps.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png deleted file mode 100644 index 75543684cae..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-groups.png b/education/windows/tutorial-school-deployment/images/intune-education-groups.png deleted file mode 100644 index 87f4546e88b..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-groups.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/intune-education-portal.png b/education/windows/tutorial-school-deployment/images/intune-education-portal.png deleted file mode 100644 index 6bcc9f9375d..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-portal.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/inventory-reporting.png b/education/windows/tutorial-school-deployment/images/inventory-reporting.png deleted file mode 100644 index 39c904e2058..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/inventory-reporting.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/m365-admin-center.png b/education/windows/tutorial-school-deployment/images/m365-admin-center.png deleted file mode 100644 index d471b441dd2..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/m365-admin-center.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/protect-manage.png b/education/windows/tutorial-school-deployment/images/protect-manage.png deleted file mode 100644 index 7ee7040a46b..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/protect-manage.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png deleted file mode 100644 index cfbd12f2da0..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/remote-actions.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/retire.png b/education/windows/tutorial-school-deployment/images/retire.png deleted file mode 100644 index c079cfeaac5..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/retire.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/supcs-win11se.png b/education/windows/tutorial-school-deployment/images/supcs-win11se.png deleted file mode 100644 index 700ff6d87fd..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/supcs-win11se.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png deleted file mode 100644 index 339bd909045..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal.png b/education/windows/tutorial-school-deployment/images/surface-management-portal.png deleted file mode 100644 index a1b7dd37ab5..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/surface-management-portal.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/wcd.png b/education/windows/tutorial-school-deployment/images/wcd.png deleted file mode 100644 index fba5be741f9..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/wcd.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/whfb-disable.png b/education/windows/tutorial-school-deployment/images/whfb-disable.png deleted file mode 100644 index 97177965e30..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/whfb-disable.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png deleted file mode 100644 index 0ec380619ef..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-login-screen.png b/education/windows/tutorial-school-deployment/images/win11-login-screen.png deleted file mode 100644 index 438dda11bcd..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-login-screen.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png deleted file mode 100644 index 5ebb6a9f14a..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif deleted file mode 100644 index fa2e4c3aeb7..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif deleted file mode 100644 index 2defd5c1ce8..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png deleted file mode 100644 index 51bbc39c9f1..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-wipe.png b/education/windows/tutorial-school-deployment/images/win11-wipe.png deleted file mode 100644 index 027afae1721..00000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-wipe.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md deleted file mode 100644 index c72273b7aa0..00000000000 --- a/education/windows/tutorial-school-deployment/index.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Introduction to the tutorial deploy and manage Windows devices in a school -description: Introduction to deployment and management of Windows devices in education environments. -ms.date: 11/09/2023 -ms.topic: tutorial -ms.collection: essentials-get-started ---- - -# Tutorial: deploy and manage Windows devices in a school - -This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment. - -## Audience and user requirements - -This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including: - -- School leaders -- IT administrators -- Teachers -- Microsoft partners - -This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**. - -> [!NOTE] -> Depending on your school setup scenario, you may not need to implement all steps. - -## Device lifecycle management - -Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management. - -Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices. -Microsoft Intune services include: - -- [Microsoft Intune][MEM-1] -- [Microsoft Intune for Education][INT-1] -- [Configuration Manager][MEM-2] -- [Desktop Analytics][MEM-3] -- [Windows Autopilot][MEM-4] -- [Surface Management Portal][MEM-5] - -These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk. - -## Why Intune for Education? - -Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point. -From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle: - -:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false"::: - -- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies -- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator -- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates -- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios - -## Four pillars of modern device management - -In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management: - -- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication -- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence -- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education -- **Device reset:** Resetting managed devices with Intune for Education - ---- - -## Next steps - -Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment. - -> [!div class="nextstepaction"] -> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md) - - - -[MEM-1]: /mem/intune/fundamentals/what-is-intune -[MEM-2]: /mem/configmgr/core/understand/introduction -[MEM-3]: /mem/configmgr/desktop-analytics/overview -[MEM-4]: /mem/autopilot/windows-autopilot -[MEM-5]: /mem/autopilot/dfci-management - -[INT-1]: /intune-education/what-is-intune-for-education diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md deleted file mode 100644 index 0a51b174b9a..00000000000 --- a/education/windows/tutorial-school-deployment/manage-overview.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Manage devices with Microsoft Intune -description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. -ms.date: 11/09/2023 -ms.topic: tutorial ---- - -# Manage devices with Microsoft Intune - -Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained. - -:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false"::: - -## Remote device management - -With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely. - -### Remote actions - -Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device. - -:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true"::: - -With bulk actions, remote actions can be performed on multiple devices at once. - -To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1]. - -## Remote assistance - -With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices. - -For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2]. - -## Device inventory and reporting - -With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline. - -Here are the steps for generating reports in Intune for Education: - -1. Sign in to the Intune for Education portal -1. Select **Reports** -1. Select between one of the report types: - - Device inventory - - Device actions - - Application inventory - - Settings errors - - Windows Defender - - Autopilot deployment -1. If needed, use the search box to find specific devices, applications, and settings -1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel. - :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true"::: - -To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3]. - - - -[EDU-1]: /intune-education/edu-device-remote-actions -[EDU-2]: /intune-education/remote-assist-mobile-devices -[EDU-3]: /intune-education/what-are-reports diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md deleted file mode 100644 index 028dc739c75..00000000000 --- a/education/windows/tutorial-school-deployment/manage-surface-devices.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Management functionalities for Surface devices -description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal. -ms.date: 11/09/2023 -ms.topic: tutorial -appliesto: - - ✅ Surface devices ---- - -# Management functionalities for Surface devices - -Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them. - -## Manage device firmware for Surface devices - -Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices. - -DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI. - -:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true"::: - -## Microsoft Surface Management Portal - -Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. - -When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities. - -To access and use the Surface Management Portal: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. Select **All services** > **Surface Management Portal** - :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true"::: -1. To obtain insights for all your Surface devices, select **Monitor** - - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here -1. To obtain details on each insights category, select **View report** - - This dashboard displays diagnostic information that you can customize and export -1. To obtain the device's warranty information, select **Device warranty and coverage** -1. To review a list of support requests and their status, select **Support requests** - - - -[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows -[MEM-1]: /mem/autopilot/dfci-management -[SURF-1]: /surface/surface-manage-dfci-guide diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md deleted file mode 100644 index 9646537bace..00000000000 --- a/education/windows/tutorial-school-deployment/reset-wipe.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: Reset and wipe Windows devices -description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices. -ms.date: 11/09/2023 -ms.topic: tutorial ---- - -# Device reset options - -There are different scenarios that require a device to be reset, for example: - -- The device isn't responding to commands -- The device is lost or stolen -- It's the end of the life of the device -- It's the end of the school year and you want to prepare the device for a new school year -- The device has hardware problems and you want to send it to the service center - -:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false"::: - -Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them: - -- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings -- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state - -## Factory reset (wipe) - -A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management. - -Once the wipe is completed, the device will be in out-of-box experience. - -Here are the steps to perform a factory reset from Intune for Education: - -1. Sign in to the Intune for Education portal -1. Select **Devices** -1. Select the device you want to reset > **Factory reset** -1. Select **Factory reset** to confirm the action - -:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false"::: - -Consider using factory reset in the following example scenarios: - -- The device isn't working properly, and you want to reset it without reimaging it -- It's the end of school year and you want to prepare the device for a new school year -- You need to reassign the device to a different student, and you want to reset the device to its original settings -- You're returning a device to the service center, and you want to remove all data and settings from the device - -> [!TIP] -> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device. - -## Autopilot Reset - -Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant. - -Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen. - -Here are the steps to perform an Autopilot reset from Intune for Education: - -1. Sign in to the Intune for Education portal -1. Select **Devices** -1. Select the device you want to reset > **Autopilot reset** -1. Select **Autopilot reset** to confirm the action - -:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false"::: - -Consider using Autopilot reset in the following example scenarios: - -- The device isn't working properly, and you want to reset it without reimaging it -- It's the end of school year and you want to prepare the device for a new school year -- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE - -> [!TIP] -> Consider that the end user will **not** go through OOBE, and the association of the user to the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode). - -## Wiping and deleting a device - -There are scenarios that require a device to be deleted from your tenant, for example: - -- The device is lost or stolen -- It's the end of the life of the device -- The device has been replaced with a new device or has its motherboard replaced - -> [!IMPORTANT] -> The following actions should only be performed for devices that are no longer going to be used in your tenant. - - To completely remove a device, you need to perform the following actions: - -1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1] -1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2] -1. Delete the device from Microsoft Entra ID using [these steps][MEM-3] - -## Autopilot considerations for a motherboard replacement scenario - -Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process: - -1. Deregister the device from Autopilot -1. Replace the motherboard -1. Capture a new device ID (4K HH) -1. Re-register the device with Autopilot - > [!IMPORTANT] - > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management. -1. Reset the device -1. Return the device - -For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4]. - - - -[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal -[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal -[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal -[MEM-4]: /mem/autopilot/autopilot-mbr diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md deleted file mode 100644 index 845d66a892d..00000000000 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md +++ /dev/null @@ -1,173 +0,0 @@ ---- -title: Set up Microsoft Entra ID -description: Learn how to create and prepare your Microsoft Entra tenant for an education environment. -ms.date: 01/16/2024 -ms.topic: tutorial -appliesto: ---- - -# Set up Microsoft Entra ID - -The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school. - -Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms. - -> [!div class="checklist"] ->In this section you will: -> -> - Set up a Microsoft 365 Education tenant -> - Add users, create groups, and assign licenses -> - Configure school branding -> - Enable bulk enrollment - -## Create a Microsoft 365 tenant - -If you don't already have a Microsoft 365 tenant, you'll need to create one. - -For more information, see [Create your Office 365 tenant account][M365-1] - -> [!TIP] -> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try this interactive demo. -### Explore the Microsoft 365 admin center - -The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant). - -From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others: - -:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true"::: - -For more information, see [Overview of the Microsoft 365 admin center][M365-2]. - -> [!NOTE] -> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant. - -## Add users, create groups, and assign licenses - -With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above. - -> [!NOTE] -> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below. - -### School Data Sync - -School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes. - -For more information, see [Overview of School Data Sync][SDS-1]. - -> [!TIP] -> To learn more and practice with School Data Sync, follow the Microsoft School Data Sync demo, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant. - -> [!NOTE] -> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [O365-EDU-Tools GitHub site](https://github.com/OfficeDev/O365-EDU-Tools). -> -> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment. - -### Microsoft Entra Connect Sync - -To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including: - -- [Password hash synchronization][AAD-1] -- [Pass-through authentication][AAD-2] -- [Federated authentication][AAD-3] - -For more information, see [Set up directory synchronization for Microsoft 365][O365-1]. - -### Create users manually - -In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center. - -There are two options for adding users manually, either individually or in bulk: - -1. To add students and teachers as users in Microsoft 365 Education *individually*: - - Sign in to the Microsoft Entra admin center - - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user** - For more information, see [Add users and assign licenses at the same time][M365-3]. -1. To add *multiple* users to Microsoft 365 Education: - - Sign in to the Microsoft Entra admin center - - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create** - -For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4]. - -### Create groups - -Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups: - -1. Sign in to the Microsoft Entra admin center -1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group** -1. On the **New group** page, select **Group type** > **Security** -1. Provide a group name and add members, as needed -1. Select **Next** - -For more information, see [Create a group in the Microsoft 365 admin center][M365-5]. - -### Assign licenses - -The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed. - -To assign a license to a group: - -1. Sign in to the Microsoft Entra admin center -1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses** -1. Select the required products that you want to assign licenses for > **Assign** -1. Add the groups to which the licenses should be assigned - - :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png"::: - -For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4]. - -## Configure school branding - -Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience. - -To configure your school's branding: - -1. Sign in to the Microsoft Entra admin center -1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding** -1. You can specify brand settings like background image, logo, username hint and a sign-in page text - :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png"::: -1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties** -1. In the **Name** field, enter the school district or organization's name > **Save** - :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png"::: - -For more information, see [Add branding to your directory][AAD-5]. - -## Enable bulk enrollment - -If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant. - -To allow provisioning packages to complete the Microsoft Entra join process: - -1. Sign in to the Microsoft Entra admin center -1. Select **Microsoft Entra ID** > **Devices** > **Device Settings** -1. Under **Users may join devices to Microsoft Entra ID**, select **All** - > [!NOTE] - > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users. -1. Select Save - :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png"::: - ---- - -## Next steps - -With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune. - -> [!div class="nextstepaction"] -> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md) - - - -[AAD-1]: /azure/active-directory/hybrid/whatis-phs -[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta -[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis -[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign -[AAD-5]: /azure/active-directory/fundamentals/customize-branding - -[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant -[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview -[M365-3]: /microsoft-365/admin/add-users/add-users -[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time -[M365-5]: /microsoft-365/admin/create-groups/create-groups - -[O365-1]: /office365/enterprise/set-up-directory-synchronization - -[SDS-1]: /schooldatasync/overview-of-school-data-sync diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md deleted file mode 100644 index 1ee9608b0cf..00000000000 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Set up device management -description: Learn how to configure the Intune service and set up the environment for education. -ms.date: 01/16/2024 -ms.topic: tutorial -appliesto: ---- - -# Set up Microsoft Intune - -Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale. - -The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments. - -:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true"::: - -**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year. - -For more information, see [Intune for Education documentation][INT-1]. - -> [!div class="checklist"] ->In this section you will: -> -> - Review Intune's licensing prerequisites -> - Configure the Intune service for education devices - -## Prerequisites - -Before configuring settings with Intune for Education, consider the following prerequisites: - -- **Intune subscription.** Microsoft Intune is licensed in three ways: - - As a standalone service - - As part of [Enterprise Mobility + Security][MSFT-1] - - As part of a [Microsoft 365 Education subscription][MSFT-2] -- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS - -For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*. - -## Configure the Intune service for education devices - -The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts. - -### Configure enrollment restrictions - -With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school. - -To block personally owned Windows devices from enrolling: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions** -1. Select the **Windows restrictions** tab -1. Select **Create restriction** -1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next** -1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next** - :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png"::: -1. Optionally, on the **Scope tags** page, add scope tags > **Next** -1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next** -1. On the **Review + create** page, select **Create** to save the restriction - -For more information, see [Create a device platform restriction][MEM-2]. - -### Disable Windows Hello for Business - -Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled. -It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices. -To disable Windows Hello for Business at the tenant level: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Windows Enrollment** -1. Select **Windows Hello for Business** -1. Ensure that **Configure Windows Hello for Business** is set to **disabled** -1. Select **Save** - -:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png"::: - -For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. - ---- - -## Next steps - -With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices. - -> [!div class="nextstepaction"] -> [Next: Configure devices >](configure-devices-overview.md) - - - -[MEM-1]: /mem/intune/fundamentals/licenses -[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set -[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy - -[INT-1]: /intune-education/what-is-intune-for-education - -[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security -[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education -[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml deleted file mode 100644 index 8abc013f688..00000000000 --- a/education/windows/tutorial-school-deployment/toc.yml +++ /dev/null @@ -1,38 +0,0 @@ -items: - - name: Introduction - href: index.md - - name: 1. Prepare your tenant - items: - - name: Set up Microsoft Entra ID - href: set-up-microsoft-entra-id.md - - name: Set up Microsoft Intune - href: set-up-microsoft-intune.md - - name: 2. Configure settings and applications - items: - - name: Overview - href: configure-devices-overview.md - - name: Configure policies - href: configure-device-settings.md - - name: Configure applications - href: configure-device-apps.md - - name: 3. Deploy devices - items: - - name: Overview - href: enroll-overview.md - - name: Enroll devices via Microsoft Entra join - href: enroll-entra-join.md - - name: Enroll devices with provisioning packages - href: enroll-package.md - - name: Enroll devices with Windows Autopilot - href: enroll-autopilot.md - - name: 4. Manage devices - items: - - name: Overview - href: manage-overview.md - - name: Management functionalities for Surface devices - href: manage-surface-devices.md - - name: Reset and wipe devices - href: reset-wipe.md - - name: 5. Troubleshoot and get help - href: troubleshoot-overview.md - diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md deleted file mode 100644 index 0d59f1af56a..00000000000 --- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Troubleshoot Windows devices -description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services. -ms.date: 11/09/2023 -ms.topic: tutorial ---- - -# Troubleshoot Windows devices - -Microsoft Intune provides many tools that can help you troubleshoot Windows devices. -Here's a collection of resources to help you troubleshoot Windows devices managed by Intune: - -- [Troubleshooting device enrollment in Intune][MEM-2] -- [Troubleshooting Windows Autopilot][MEM-9] -- [Troubleshoot Windows Wi-Fi profiles][MEM-6] -- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5] -- [Troubleshooting BitLocker with the Intune encryption report][MEM-4] -- [Troubleshooting CSP custom settings][MEM-8] -- [Troubleshooting Win32 app installations with Intune][MEM-7] -- [Troubleshooting device actions in Intune][MEM-3] -- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user - :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true"::: - -## How to contact Microsoft Support - -Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. - -Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices: - -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -- Select **Troubleshooting + support** > **Help and support** - :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png"::: -- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365 -- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests* -- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like: - - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution - - View insights: find links to documentation that provides context and background specific to the product area or actions you've described - - Recommended articles: browse suggested troubleshooting topics and other content related to your issue -- If needed, use the *Contact support* pane to file an online support ticket - > [!IMPORTANT] - > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue. -- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review - -For more information, see [Microsoft Intune support page][MEM-1] - - -[MEM-1]: /mem/get-support -[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune -[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions -[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center -[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune -[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles -[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install -[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings -[MEM-9]: /mem/autopilot/troubleshooting -[MEM-10]: /mem/intune/remote-actions/collect-diagnostics diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index d6b1fa3e62c..b7d2153dced 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -7,7 +7,7 @@ appliesto: - ✅ Windows 10 --- -# Use the Set up School PCs app +# Use the Set up School PCs app IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune. @@ -16,20 +16,20 @@ With Set up School PCs you can: - Joins student devices to your organization's Microsoft Entra tenant - Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state - Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time -- Lock down student devices to prevent activity that aren't beneficial to their education +- Lock down student devices to prevent activity that aren't beneficial to their education -This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). +This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). ## Requirements Before you begin, make sure that your devices and your school's network are configured with the following requirements: - Microsoft Entra ID and Microsoft 365 licenses -- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40) +- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40) - A NTFS-formatted USB drive that is at least 1 GB - Student devices must either: - Be within range of the Wi-Fi network that you configured in the app - - Have a wired Ethernet connection when you set them up + - Have a wired Ethernet connection when you set them up ### Prepare existing PC account for new setup @@ -46,7 +46,7 @@ Alternatively, you can also select **Start** > **Power** icon. Hold down Sh 1. Select **Troubleshoot** > **Reset this PC** 1. Select **Remove everything** -1. If the option appears, select **Only the drive where Windows is installed** +1. If the option appears, select **Only the drive where Windows is installed** 1. Select **Just remove my files** 1. Select **Reset** @@ -58,20 +58,20 @@ This section offers recommendations to prepare you for the best possible setup e We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices. -### Student devices must meet OS requirements for the app +### Student devices must meet OS requirements for the app -Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices. +Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices. To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**. -### Use app on a PC that is connected to your school's network +### Use app on a PC that is connected to your school's network We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually. ->[!NOTE] +>[!NOTE] >Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use. -### Run app on an open network or network that requires a basic password +### Run app on an open network or network that requires a basic password Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. @@ -87,57 +87,57 @@ We recommend that you: To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. -### Limit changes to school-optimized settings +### Limit changes to school-optimized settings -We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in. +We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in. -## Create the provisioning package +## Create the provisioning package The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your device and select **Get started**. -![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png) +![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png) ### Package name -Type a unique name to help distinguish your school's provisioning packages. The name appears: +Type a unique name to help distinguish your school's provisioning packages. The name appears: - On the local package folder - In your tenant's Microsoft Entra account in the Azure portal -A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package. +A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package. - ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png) + ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png) -After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. +After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. -To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there. +To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. You can access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator), and rename the package there. -### Sign in +### Sign in 1. Select how you want to sign in - 1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3 + 1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3 1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network) -1. In the new window, select the account you want to use throughout setup. +1. In the new window, select the account you want to use throughout setup. - ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png) + ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png) - To add an account not listed: - 1. Select **Work or school account** > **Continue**. - 1. Type in the account username and select **Next**. - 1. Verify the user account and password, if prompted. + To add an account not listed: + 1. Select **Work or school account** > **Continue**. + 1. Type in the account username and select **Next**. + 1. Verify the user account and password, if prompted. 1. Select **Accept** to allow Set up School PCs to access your account throughout setup 1. When your account name appears on the page, select **Next** - ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png) + ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png) ### Wireless network -Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. +Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. -Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next** +Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next** - ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png) + ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png) ### Device names @@ -147,17 +147,17 @@ To make sure all device names are unique, Set up School PCs automatically append To keep the default name for your devices, select **Continue with existing names**. - !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png) + !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png) ### Settings Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs. -![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png) +![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png) Setting selections vary based on the OS version you select. -![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png) +![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png) The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. @@ -172,20 +172,20 @@ The following table describes each setting and lists the applicable Windows 10 v After you've made your selections, select **Next**. -### Time zone +### Time zone > [!WARNING] > If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. -Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**. +Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**. -![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png) +![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png) ### Product key Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**. -![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png) +![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png) ### Take a Test @@ -195,7 +195,7 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png) -1. Select from the advanced settings. Available settings include: +1. Select from the advanced settings. Available settings include: - Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard - Allow teachers to monitor online tests: Enables screen capture in the Take a Test app 1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment @@ -203,11 +203,11 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D ### Personalization -Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. +Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. -If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images. +If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images. -![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png) +![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png) ### Summary @@ -216,7 +216,7 @@ Review all of the settings for accuracy and completeness 1. To make changes now, select any page along the left side of the window 2. When finished, select **Accept** -![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png) +![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png) > [!NOTE] > To make changes to a saved package, you have to start over. @@ -230,34 +230,34 @@ Review all of the settings for accuracy and completeness 1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next** -![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png) +![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png) ## Run package - Get PCs ready Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**. -![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png) +![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png) ## Run package - Install package on PC The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device. -When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school. +When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school. > [!IMPORTANT] -> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). +> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). 1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC** ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png) - + 1. Insert the USB drive. Windows automatically recognizes and installs the package ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png) 1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one - ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png) + ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png) 1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index eec8f909f16..e5fd11df2bf 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -102,10 +102,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` | | `DigiExam` | 14.1.0 | `Win32` | `Digiexam` | | `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` | -| `Dolphin Guide Connect` | 1.25 | `Win32` | `Dolphin Guide Connect` | -| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` | +| `Dolphin Guide Connect` | 1.27 | `Win32` | `Dolphin Guide Connect` | +| `Dragon Professional Individual` | 16.00.200.121 | `Win32` | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 14.0.0.0 | `Store` | `Data recognition Corporation` | -| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` | +| `Duo from Cisco` | 6.3.0 | `Win32` | `Cisco` | | `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` | | `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` | | `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` | @@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ESET Endpoint Security` | 10.1.2046.0 | `Win32` | `ESET` | | `ESET Remote Administrator Agent` | 10.0.1126.0 | `Win32` | `ESET` | | `eTests` | 4.0.25 | `Win32` | `CASAS` | -| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` | +| `Exam Writepad` | 24.4.1.1200 | `Win32` | `Sheldnet` | | `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` | | `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` | | `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` | @@ -126,8 +126,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` | | `Impero Backdrop Client` | 5.0.151 | `Win32` | `Impero Software` | | `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` | +| `Inprint` | 3.7.6 | `Win32` | `Inprint` | | `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` | -| `JAWS for Windows` | 2023.2307.37 | `Win32` | `Freedom Scientific` | +| `Instashare 2` | 1.3.13.0 | `Win32` | `BenQ` | +| `JAWS for Windows` | 2024.2312.53 | `Win32` | `Freedom Scientific` | | `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` | | `Keyman` | 16.0.142 | `Win32` | `SIL International` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | @@ -155,7 +157,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` | | `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` | | `Netsweeper Workstation Agent` | 4.50.54.54 | `Win32` | `Netsweeper` | -| `NonVisual Desktop Access` | 2023.1. | `Win32` | `NV Access` | +| `NonVisual Desktop Access` | 2023.3 | `Win32` | `NV Access` | | `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` | | `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` | | `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` | @@ -166,18 +168,19 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ReadAndWriteForWindows` | 12.0.78 | `Win32` | `Texthelp Ltd.` | | `Remote Desktop client (MSRDC)` | 1.2.4487.0 | `Win32` | `Microsoft` | | `Remote Help` | 5.0.1311.0 | `Win32` | `Microsoft` | -| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | +| `Respondus Lockdown Browser` | 2.1.1.05 | `Win32` | `Respondus` | | `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | -|`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` | +|`SchoolYear` | 3.7.10 | `Win32` |`SchoolYear` | |`School Manager` | 3.6.10-1149 | `Win32` |`Linewize` | |`Schoolnet Secure Tester` | 2.1.0 | `Win32` |`School Net` | |`Scratch` | 3.0 | `Win32` |`MIT` | | `Senso.Cloud` |2021.11.15.0 | `Win32` | `Senso.Cloud` | | `Skoolnext` | 2.19 | `Win32` | `Skool.net` | | `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` | -| `SuperNova Magnifier & Screen Reader` | 22.03 | `Win32` | `Dolphin Computer Access` | +| `SuperNova Magnifier & Screen Reader` | 22.04 | `Win32` | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | +| `Snapplify` | 6.9.7 | `Win32` | `Snapplify` | +|`TX Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` | |`WA Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` | | `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` | @@ -185,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Windows SEB` | 3.4.0 | `Win32` | `Illinois Stateboard of Education` | | `Windows Notepad` | 12.0.78 | `Store` | `Microsoft Corporation` | | `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` | -| `ZoomText Fusion` | 2023.2307.7.400 | `Win32` | `Freedom Scientific` | -| `ZoomText Magnifier/Reader` | 2023.2307.29.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Fusion` | 2024.2403.1.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Magnifier/Reader` | 2024.2402.66.400 | `Win32` | `Freedom Scientific` | ## Add your own applications @@ -224,4 +227,4 @@ For more information on Intune requirements for adding education apps, see [Conf [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps [EDUWIN-2]: /education/windows/tutorial-school-deployment/ -[WIN-1]: /windows/whats-new/windows-11-requirements \ No newline at end of file +[WIN-1]: /windows/whats-new/windows-11-requirements diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index bea07c4d0bc..1c973e20350 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -2,7 +2,7 @@ title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. ms.topic: reference -ms.date: 08/18/2023 +ms.date: 05/06/2024 appliesto: - ✅ Windows 11 SE ms.collection: diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md index 05f77b08434..d804757446e 100644 --- a/includes/configure/intune-custom-settings-1.md +++ b/includes/configure/intune-custom-settings-1.md @@ -6,11 +6,4 @@ ms.topic: include ms.service: windows-client --- -To configure devices with Microsoft Intune, use a custom policy: - -1. Go to the Microsoft Intune admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description > Next** -6. Add the following settings: \ No newline at end of file +To configure devices with Microsoft Intune, [create a custom policy](/mem/intune/configuration/custom-settings-windows-10) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md index 92dc4bf22d1..66b5ceae1d1 100644 --- a/includes/configure/intune-custom-settings-2.md +++ b/includes/configure/intune-custom-settings-2.md @@ -6,7 +6,4 @@ ms.topic: include ms.service: windows-client --- -7. Select **Next** -8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -9. Under **Applicability Rules**, select **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file +Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md deleted file mode 100644 index fc2277cecb3..00000000000 --- a/includes/configure/intune-custom-settings-info.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/15/2023 -ms.topic: include -ms.service: windows-client ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/configure/powershell-wmi-bridge-1.md b/includes/configure/powershell-wmi-bridge-1.md new file mode 100644 index 00000000000..84c8a0bb24c --- /dev/null +++ b/includes/configure/powershell-wmi-bridge-1.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). + +> [!IMPORTANT] +> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. + +To test the PowerShell script, you can: + +1. [Download the psexec tool](/sysinternals/downloads/psexec) +1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` +1. Run the script in the PowerShell session diff --git a/includes/configure/powershell-wmi-bridge-2.md b/includes/configure/powershell-wmi-bridge-2.md new file mode 100644 index 00000000000..55db82674df --- /dev/null +++ b/includes/configure/powershell-wmi-bridge-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +For more information, see [Use PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md deleted file mode 100644 index 3ca26ae6ea7..00000000000 --- a/includes/licensing/account-lockout-policy.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 09/18/2023 -ms.topic: include ---- - -## Windows edition and licensing requirements - -The following table lists the Windows editions that support Account Lockout Policy: - -|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes| - -Account Lockout Policy license entitlements are granted by the following licenses: - -|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:---:|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes|Yes| - -For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md deleted file mode 100644 index f14704f4824..00000000000 --- a/includes/licensing/assigned-access-kiosk-mode.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 09/18/2023 -ms.topic: include ---- - -## Windows edition and licensing requirements - -The following table lists the Windows editions that support Assigned Access (kiosk mode): - -|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes| - -Assigned Access (kiosk mode) license entitlements are granted by the following licenses: - -|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:---:|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes|Yes| - -For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/assigned-access.md b/includes/licensing/assigned-access.md new file mode 100644 index 00000000000..3a980896b0e --- /dev/null +++ b/includes/licensing/assigned-access.md @@ -0,0 +1,32 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + + + +## Windows edition requirements + +The following table lists the Windows editions that support Assigned Access: + +|Edition|Assigned Access support| +|:---|:---:| +|Education|✅| +|Enterprise |✅| +|Enterprise LTSC|✅| +|IoT Enterprise | ✅| +|IoT Enterprise LTSC|✅| +|Pro Education|✅| +|Pro|✅| + + \ No newline at end of file diff --git a/includes/licensing/shell-launcher.md b/includes/licensing/shell-launcher.md new file mode 100644 index 00000000000..b44ad3f92b2 --- /dev/null +++ b/includes/licensing/shell-launcher.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/18/2023 +ms.topic: include +--- + + + +## Windows edition requirements + +The following table lists the Windows editions that support Shell Launcher: + +|Edition|Shell Launcher support| +|:---|:---:| +|Education|✅| +|Enterprise |✅| +|Enterprise LTSC|✅| +|IoT Enterprise | ✅| +|IoT Enterprise LTSC|✅| +|Pro Education|❌| +|Pro|❌| + + \ No newline at end of file diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md deleted file mode 100644 index 07f612b6ae9..00000000000 --- a/includes/licensing/windows-security-policy-settings-and-auditing.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 09/18/2023 -ms.topic: include ---- - -## Windows edition and licensing requirements - -The following table lists the Windows editions that support Windows security policy settings and auditing: - -|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes| - -Windows security policy settings and auditing license entitlements are granted by the following licenses: - -|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:---:|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes|Yes| - -For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md deleted file mode 100644 index 000c3669c06..00000000000 --- a/store-for-business/includes/store-for-business-content-updates.md +++ /dev/null @@ -1,21 +0,0 @@ - - - - -## Week of July 10, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 7/14/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified | -| 7/14/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified | -| 7/14/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified | - - -## Week of June 26, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 6/29/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified | -| 6/29/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified | diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 1d519c7d261..ac4b271b5dc 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -65,11 +65,10 @@ If your organization restricts computers on your network from connecting to the - `account.live.com` - `clientconfig.passport.net` - `windowsphone.com` -- `\*.wns.windows.com` -- `\*.microsoft.com` -- `\*.s-microsoft.com` +- `*.wns.windows.com` +- `*.microsoft.com` +- `*.s-microsoft.com` - `www.msftncsi.com` (prior to Windows 10, version 1607) -- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com` - starting with Windows 10, version 1607) +- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com` starting with Windows 10, version 1607) Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 964efc7788c..4af32aae838 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,18 +8,20 @@ ms.author: cmcatee author: cmcatee-MSFT manager: scotv ms.topic: conceptual -ms.date: 01/11/2024 +ms.date: 06/21/2024 ms.reviewer: --- # What's new in Microsoft Store for Business and Education -> [!IMPORTANT] -> -> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - ## Latest updates for Store for Business and Education +**June 2024** + +The Microsoft Store for Business and Microsoft Store for Education portals will retire on August 15, 2024. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-intune-integration-with-the-microsoft-store-on-windows/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). If you are using offline licensing, you can use the [WinGet Download command](/windows/package-manager/winget/download) to continue to access offline apps and license files. + +## Previous releases and updates + **January 2024** **Removal of private store capability from Microsoft Store for Business and Education** @@ -28,8 +30,6 @@ The private store tab and associated functionality was removed from the Microsof We recommend customers use the [Private app repository, Windows Package Manager, and Company Portal app](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) to provide a private app repository within their organization. -## Previous releases and updates - [May 2023](release-history-microsoft-store-business-education.md#may-2023) - Tab removed from Microsoft Store apps on Windows 10 PCs. diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md deleted file mode 100644 index 534e26d4268..00000000000 --- a/windows/application-management/add-apps-and-features.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: Add or hide Windows features -description: Learn how to add Windows optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. -author: aczechowski -ms.author: aaroncz -manager: aaroncz -ms.date: 08/18/2023 -ms.topic: how-to -ms.service: windows-client -ms.subservice: itpro-apps -ms.localizationpriority: medium -ms.collection: tier2 -appliesto: - - ✅ Windows 11 - - ✅ Windows 10 ---- - -# Add or hide Windows features - -Windows includes optional features that aren't installed by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be installed at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features. - -## Use the Windows Settings app to add or uninstall features - -### Windows 11 - -1. Open the Start menu and search for **Settings**. - -1. In the Settings app, search for "optional" and select **Optional features**. - - > [!TIP] - > You can also use the following shortcut to open it directly: [`ms-settings:optionalfeatures`](ms-settings:optionalfeatures). - -1. To add a feature: - - 1. Select **View features** next to "Add an optional feature." - - 1. Find the feature you want to add, like **XPS Viewer**. Select the box to add it. You can select multiple features. - - 1. Select **Next**. Review the list of features you selected, and then select **Install** to add the selected features. - -1. To uninstall a feature: - - 1. Search for it in the list of **Installed features**. - - 1. Expand the section, and select **Uninstall**. - -### Windows 10 - -1. In the Search bar, search for "apps" and select **Apps and features**. - -1. Select **Optional features** > **Add a feature**. - -1. Select the feature you want to add, like **XPS Viewer**, and then select **Install.** - -When the installation completes, the feature is listed in **Apps & features**. In **Apps & features** > **Optional features** > **More Windows features**, there are more features that you and your users can install. - -To uninstall a feature, open the **Settings** app. Select the feature, and then select **Uninstall**. - -## Use group policy or MDM policies to hide Windows features - -By default, the OS might show Windows features and allow users to install and uninstall these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune. - -### Group policy - -If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device. - -You can't use group policy to disable specific Windows features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features). - -If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy. - -### MDM - -Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features. - -If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings). - -## Use Windows PowerShell to disable specific features - -To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet. - -> [!NOTE] -> There isn't a group policy that disables specific Windows features. - -To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page). - -Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension). - -To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet. - -Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart may be required when the state changes. - -## Related articles - -- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) - -- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod) - -- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md deleted file mode 100644 index 94c799e8af2..00000000000 --- a/windows/application-management/app-v/appv-about-appv.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) -description: Information about what's new in App-V for Windows 10, version 1703 and earlier. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# What's new in App-V for Windows 10, version 1703 and earlier - ->Applies to: Windows 10, version 1703 and earlier - -Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. - -## What's new in App-V Windows 10, version 1703 - -### Auto-sequence and update your App-V packages singly or as a batch - -Previous versions of the App-V Sequencer required manual sequencing and updating of app packages. This was time-consuming and required extensive interaction, causing many companies to deploy brand-new packages rather than update an existing one. Windows 10, version 1703 introduces the App-V Auto-Sequencer, which automatically sequences your app packages, improving your overall experience by streamlining prerequisite environment provisioning, automating app installation, and expediting package updating setup. - -Using the automatic sequencer to package your apps gives you the following benefits: - -* **Automatic virtual machine (VM) sequencing environment provisioning**. To learn more, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md). -* **Package batch-sequencing**. This benefit denotes that multiple apps can be sequenced at the same time, in a single group. To learn more, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). -* **Package batch-updating**. This benefit denotes that multiple apps can be updated at the same time, in a single group. To learn more, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). - -### Updates to the App-V project template - -Starting with Windows 10, version 1703, you can now save an App-V project template (.appvt) file as part of a sequenced App-V package. This file will automatically load every time you open the package for edits or updates. Your template can include general option settings, file exclusion list settings, and target operating system settings. To learn more, see [Create and apply an App-V project template to a sequenced App-V package](../app-v/appv-create-and-use-a-project-template.md). - -### Automatically clean up unpublished App-V packages from the App-V client - -Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up more storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. To learn more, see [Automatically clean up unpublished packages on the App-V client](../app-v/appv-auto-clean-unpublished-packages.md). - -## What's new in App-V in Windows 10, version 1607 - -### App-V is now a feature in Windows 10 - -With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack. - -To learn more about earlier versions of App-V, see [MDOP Information Experience](/microsoft-desktop-optimization-pack/index). - -The changes in App-V for Windows 10, version 1607 impact existing implementations of App-V in the following ways: - -* The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client. -* In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). - - > [!NOTE] - >If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. - -For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](../app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](../app-v/appv-migrating-to-appv-from-a-previous-version.md). - ->[!IMPORTANT] ->You can only upgrade your existing App-V installation to Windows 10, version 1607 if it's version 5.0 SP2 or higher. If you're using an older version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you can upgrade to Windows 10, version 1607. - -## Support for System Center - -App-V supports System Center 2016 and Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj822982(v=technet.10)) to learn more about how to integrate your App-V environment with Configuration Manager. - -## Related articles - -* [Release Notes for App-V for Windows 10, version 1607](../app-v/appv-release-notes-for-appv-for-windows.md) -* [Release Notes for App-V for Windows 10, version 1703](../app-v/appv-release-notes-for-appv-for-windows-1703.md) diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md deleted file mode 100644 index 21175a8da7b..00000000000 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11) -description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to add or remove an administrator by using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server. - -## Add an administrator using the Management Console - -1. Open the Microsoft Application Virtualization (App-V) Management Console and select **Administrators** in the navigation pane. The navigation pane will display a list of Access Directory (AD) users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. -2. To add a new administrator, select **Add Administrator**. Enter the name of the administrator that you want to add in the **Active Directory Name** field. Make sure to also provide the associated user account domain name. For example, **Domain** \\ **UserName**. -3. Select the account you want to add and select **Add**. The new account should now appear in the list of server administrators. - -## Remove an administrator using the Management Console - -1. Open the Microsoft Application Virtualization (App-V) Management Console and select **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. -2. Right-click the account to be removed from the list of administrators and select **Remove**. - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md deleted file mode 100644 index ee6544a1815..00000000000 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11) -description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to add or upgrade packages by using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. - -## Add a package to the Management Console - -1. Select the **Packages** tab in the navigation pane of the Management Console display. - - The console displays the list of packages that have been added to the server along with status information about each package. When a package is selected, detailed information about the package is displayed in the **PACKAGES** pane. - - Select the **Ungrouped** drop-down list box and specify how the packages are to be displayed in the console. You can also click the associated column header to sort the packages. - -2. Select **Add or Upgrade Packages** to specify which package you want to add. - -3. Enter the full path to the package that you want to add. Use the UNC or HTTP path format, for example **\\\\servername\\sharename\\foldername\\packagename.appv** or **http://server.1234/file.appv**, and then select **Add**. - - >[!IMPORTANT] - >You must select a package with the **.appv** file name extension. - -4. The page displays the status message **Adding <Packagename>**. Select **IMPORT STATUS** to check the status of a package that you have imported. - - Select **OK** to add the package and close the **Add Package** page. If there was an error during the import, select **Detail** on the **Package Import** page for more information. The newly added package is now available in the **PACKAGES** pane. - -5. Select **Close** to close the **Add or Upgrade Packages** page. - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md deleted file mode 100644 index 9260eaa1592..00000000000 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Administering App-V by using Windows PowerShell (Windows 10/11) -description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Administering App-V by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Microsoft Application Virtualization (App-V) supports Windows PowerShell cmdlets that give administrators a quick and easy way to manage App-V. The following sections will tell you more about how to use Windows PowerShell with App-V. - -## How to administer App-V with Windows PowerShell - -The following table lists articles that will tell you more about how to use PowerShell for App-V. - -|Name|Description| -|---|---| -|[How to load the Windows PowerShell cmdlets for App-V and get cmdlet help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)|Describes how to install the Windows PowerShell cmdlets and find cmdlet help and examples.| -|[How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)|Describes how to manage the client package lifecycle on a stand-alone computer with Windows PowerShell.| -|[How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)|Describes how to manage connection groups with Windows PowerShell.| -|[How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)|Describes how to modify the client with Windows PowerShell.| -|[How to apply the user configuration file by using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)|Describes how to apply a user configuration file with Windows PowerShell.| -|[How to apply the deployment configuration file by using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)|Describes how to apply a deployment configuration file with Windows PowerShell.| -|[How to sequence a package by using Windows PowerShell](appv-sequence-a-package-with-powershell.md)|Describes how to create a new package with Windows PowerShell.| -|[How to create a package accelerator by using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md)|Describes how to create a package accelerator with Windows PowerShell. You can use package accelerators to automatically sequence large, complex applications.| -|[How to enable reporting on the App-V client by using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)|Describes how to enable the computer running the App-V Client to send reporting information.| -|[How to install the App-V databases and convert the associated security identifiers by using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)|Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.| -|[How to configure the client to receive package and connection groups updates from the publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)|Describes how to use Windows PowerShell to configure a client after you have deployed the App-V management and publishing servers and added the required packages and connection groups.| - ->[!IMPORTANT] ->Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for Windows PowerShell. - -## Windows PowerShell error handling - -The following table describes Windows PowerShell error handling for App-V. - -|Event|Action| -|---|---| -|Using the **RollbackOnError** attribute with embedded scripts|When you use the **RollbackOnError** attribute with embedded scripts, the attribute is ignored for the following events:
    - Removing a package
    - Unpublishing a package
    - Terminating a virtual environment
    - Terminating a process| -|Package name contains **$**|If a package name contains the character \$\, you must use a single-quote ( **'** ).
    For example:
    ```Add-AppvClientPackage 'Contoso$App.appv'```| - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md deleted file mode 100644 index 3ae0ecc41f1..00000000000 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11) -description: Administering App-V Virtual Applications by using the Management Console -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Administering App-V Virtual Applications by using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers running the App-V client. One or more management servers typically share a common data store for configuration and package information. - -The management server uses Active Directory Domain Services (AD DS) groups to manage user authorization and has SQL Server installed to manage the database and data store. - -Because the management servers stream applications to end users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs. The management server consists of the following components: - -- The **management server** manages packages and connection groups. -- The **publishing server** deploys packages to computers running the App-V Client. -- The **management database** manages the package access publishes the server’s synchronization with the management server. - -## Management Console tasks - -Here are some articles that can show you how to perform the most common tasks that the App-V Management Console is used for: - -- [How to connect to the Management Console](appv-connect-to-the-management-console.md) -- [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) -- [How to configure access to packages by using the Management Console](appv-configure-access-to-packages-with-the-management-console.md) -- [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md) -- [How to delete a package in the Management Console](appv-delete-a-package-with-the-management-console.md) -- [How to add or remove an administrator by using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md) -- [How to register and unregister a publishing server by using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md) -- [How to create a custom configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md) -- [How to transfer access and configurations to another version of a package by using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md) -- [How to customize virtual application extensions for a specific AD group by using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md) -- [How to view and configure applications and default virtual application extensions by using the Management Console](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md) - -The main elements of the App-V Management Console are: - -|Management Console tab|Description| -|---|---| -|Packages tab|Use the **Packages** tab to add or upgrade packages.| -|Connection Groups tab|Use the **Connection Groups** tab to manage connection groups.| -|Servers tab|Use the **Servers** tab to register a new server.| -|Administrators tab|Use the **Administrators** tab to register, add, or remove administrators in your App-V environment.| - ->[!IMPORTANT] ->The browser you're using to open the Web Management Console must have JavaScript enabled. - - - - - -## Other resources for this App-V deployment - -- [Application Virtualization (App-V) overview](appv-for-windows.md) -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md deleted file mode 100644 index 24ab5d46a1a..00000000000 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Only Allow Admins to Enable Connection Groups (Windows 10/11) -description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to allow only administrators to enable connection groups - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can configure the App-V client so that only administrators, not users, can enable or disable connection groups. In earlier versions of App-V, there was no way to restrict access to disabling connection groups to users. - ->[!NOTE] ->This feature is supported starting in App-V 5.0 SP3. - -Use one of the following methods to allow only administrators to enable or disable connection groups. - -|Method|Steps| -|---|---| -|Group Policy setting|Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:

    **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**| -|Windows PowerShell cmdlet|Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter.

    Parameter values:
    - **0** – False
    - **1** – True

    Example: ```Set-AppvClientConfiguration -RequirePublishAsAdmin 1```| - - - - - -## Related articles - -- [Managing Connection Groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md deleted file mode 100644 index 363bf2e7ec8..00000000000 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ /dev/null @@ -1,899 +0,0 @@ ---- -title: Application Publishing and Client Interaction (Windows 10/11) -description: Learn technical information about common App-V Client operations and their integration with the local operating system. -author: aczechowski -ms.service: windows-client -ms.date: 06/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Application publishing and client interaction - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This article provides technical information about common App-V Client operations and their integration with the local operating system. - -## App-V package files created by the Sequencer - -The Sequencer creates App-V packages and produces a virtualized application. The sequencing process creates the following files: - -|File|Description| -|---|---| -|.appv|- The primary package file, which contains captured assets and state information from the sequencing process.
    - Architecture of the package file, publishing information, and registry in a tokenized form that can be reapplied to a machine and to a specific user upon delivery.| -|.MSI|Executable deployment wrapper that you can use to deploy .appv files manually or by using a third-party deployment platform.| -|_DeploymentConfig.XML|File used to customize the default publishing parameters for all applications in a package that is deployed globally to all users on a computer that is running the App-V Client.| -|_UserConfig.XML|File used to customize the publishing parameters for all applications in a package that is a deployed to a specific user on a computer that is running the App-V Client.| -|Report.xml|Summary of messages resulting from the sequencing process, including omitted drivers, files, and registry locations.| -|.CAB|Optional: Package accelerator file used to automatically rebuild a previously sequenced virtual application package.| -|.appvt|Optional: Sequencer template file used to retain commonly reused Sequencer settings.| - -To learn more about sequencing, see [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). - -## What’s in the appv file? - -The appv file is a container that stores XML and non-XML files together in a single entity. This file is built from the AppX format, which is based on the Open Packaging Conventions (OPC) standard. - -To view the appv file contents, make a copy of the package, and then rename the copied file to a .zip extension. - -The appv file contains the following folder and files, which are used when creating and publishing a virtual application: - -| Name | Type | Description | -|---|---|---| -| Root | File folder | Directory that contains the file system for the virtualized application captured during sequencing. | -| [Content_Types].xml | XML File | List of the core content types in the appv file (for example, DLL, EXE, BIN). | -| AppxBlockMap.xml | XML File | Layout of the appv file, which uses File, Block, and BlockMap elements that enable location and validation of files in the App-V package.| -| AppxManifest.xml | XML File | Metadata for the package that contains the required information for adding, publishing, and launching the package. Includes extension points (file type associations and shortcuts) and the names and GUIDs associated with the package.| -| FilesystemMetadata.xml | XML File | List of the files captured during sequencing, including attributes (such as directories, files, opaque directories, empty directories, and long and short names). | -| PackageHistory.xml | XML File | Information about the sequencing computer (operating system version, Internet Explorer version, .Net Framework version) and process (upgrade, package version).| -| Registry.dat | DAT File | Registry keys and values captured during the sequencing process for the package.| -| StreamMap.xml | XML File | List of files for the primary and publishing feature block. The publishing feature block contains the ICO files and required portions of files (EXE and DLL) for publishing the package. When present, the primary feature block includes files that have been optimized for streaming during the sequencing process.| - -## App-V Client data storage locations - -The App-V Client performs tasks to keep virtual applications running properly and working like locally installed applications. The process of opening and running virtual applications requires mapping from the virtual file system and registry to ensure the application has the required components of a traditional application expected by users. This section describes the assets that are required to run virtual applications and lists the location where App-V stores the assets. - -| Name | Location | Description | -|---|---|---| -| Package Store | %ProgramData%\App-V| Default location for read-only package files.| -| Machine Catalog | %ProgramData%\Microsoft\AppV\Client\Catalog| Contains per-machine configuration documents.| -| User Catalog | %AppData%\Microsoft\AppV\Client\Catalog| Contains per-user configuration documents.| -| Shortcut Backups | %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups| Stores previous integration points that enable restore on package unpublish.| -| Copy on Write (COW) Roaming | %AppData%\Microsoft\AppV\Client\VFS| Writeable roaming location for package modification.| -| Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification.| -| Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive).| -| User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg.| -| User Registry Classes | HKCU\Software\Classes\AppV| Contains more user package state information.| - -More details for the table are provided in the section below and throughout the document. - -### Package store - -The App-V Client manages the applications assets mounted in the package store. This default storage location is %ProgramData%\App-V, but you can configure it during or after setup by using the **Set-AppVClientConfiguration** Windows PowerShell cmdlet, which modifies the local registry (**PackageInstallationRoot** value under the HKLM\Software\Microsoft\AppV\Client\Streaming key). The package store must be located at a local path on the client operating system. The individual packages are stored in the package store in subdirectories named after the Package GUID and Version GUID. - -The following is an example of a path to a specific application: - -```syntax -C:\ProgramData\App-V\PackGUID\VersionGUID -``` - -To change the default location of the package store during setup, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). - -### Shared Content Store - -If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). In VDI environments where local storage can be limited, it's important to use as little disk space as possible. You can minimize disk space usage by streaming applications from a high-performance network location (such as a SAN). For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](/archive/blogs/appv/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes). - ->[!NOTE] ->The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client. - -### Package catalogs - -The App-V Client manages the following file-based locations: - -- **Catalogs (user and machine).** -- **Registry locations**—depends on how the package is targeted for publishing. There's a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there's discrete data for both file and registry per package version. - -### Machine catalog - -The locations described in this table can be found in the %programdata%\Microsoft\AppV\Client\Catalog\ folder. - -| | Location | -|:---|:---| -|**Description**|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

    If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

    If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there's a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there's a policy file (UserDeploymentConfiguration file) in the Machine Catalog.| -|**Default storage location**|%programdata%\Microsoft\AppV\Client\Catalog\

    This location isn't the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.| -|**Files in the machine catalog**|- Manifest.xml
    - DeploymentConfiguration.xml
    - UserManifest.xml (Globally Published Package)
    - UserDeploymentConfiguration.xml (Globally Published Package)| -|**Additional machine catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned previously as the default storage location:

    %programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID| -|**Additional files in the machine catalog when the package is part of a connection group**|- PackageGroupDescriptor.xml
    - UserPackageGroupDescriptor.xml (globally published Connection Group)| - -### User catalog - -The locations described in this table can be found in the appdata\roaming\Microsoft\AppV\Client\Catalog\ folder. - -|| Location | -|:---|:---| -|**Description**|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

    When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

    For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they're provisioned.| -|**Default storage location**|appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID| -|**Files in the user catalog**|- UserManifest.xml
    - DynamicConfiguration.xml or UserDeploymentConfiguration.xml| -|**Additional user catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned above:

    appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID| -|**Additional file in the machine catalog when the package is part of a connection group**|UserPackageGroupDescriptor.xml| - -### Shortcut backups - -During the publishing process, the App-V Client backs up any shortcuts and integration points to %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups. This backup lets integration points restore to the previous versions when the package is unpublished. - -### Copy on Write files - -The Package Store contains a pristine copy of the package files that have been streamed from the publishing server. During normal operation of an App-V application, the user or service may require changes to the files. However, these changes aren't made in the package store to preserve your ability to repair the application, which removes these changes. These locations, called Copy on Write (COW), support both roaming and non-roaming locations. The location where the modifications are stored depends where the application has been programmed to write changes to in a native experience. - -### COW roaming - -The COW Roaming location described above stores changes to files and directories that are targeted to the typical %AppData% location or \\Users\\*<username>*\\AppData\\Roaming location. These directories and files are then roamed based on the operating system settings. - -### COW local - -The COW Local location is similar to the roaming location, but the directories and files aren't roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes. - -## Package registry - -Before an application can access the package registry data, the App-V Client must make the package registry data available to the applications. The App-V Client uses the real registry as a backing store for all registry data. - -When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at %ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time. - -**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGUID}.dat** - -When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGUID\REGISTRY. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a user-specific location HKCU\Software\Microsoft\AppV\Client\Packages\PackageGUID\Registry\User. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation. - -### Package registry staging vs. connection group registry staging - -When connection groups are present, the previous process of staging the registry holds true, but instead of having one hive file to process, there are more than one. The files are processed in the order in which they appear in the connection group XML, with the first writer winning any conflicts. - -The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it's disabled; staged machine registry data is removed on connection group removal. - -### Virtual registry - -The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This functionality means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there's a value stored in a COW location it will not proceed to other locations, however, if there's no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data. - -### Registry locations - -There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups aren't shared: - -#### Single Package VReg - -The registries in the following table are located in the Registry\Client\Packages\PkgGUID\ folder. - -|Location|Description| -|---|---| -|COW|- Machine Registry\Client\Packages\PkgGUID\REGISTRY (Only elevate process can write)
    - User Registry\Client\Packages\PkgGUID\REGISTRY (User Roaming anything written under HKCU except Software\Classes
    - User Registry Classes\Client\Packages\PkgGUID\REGISTRY (HKCU\Software\Classes writes and HKLM for non-elevated process)| -|Package|- Machine Registry\Client\Packages\PkgGUID\Versions\VerGuid\Registry\Machine
    - User Registry Classes\Client\Packages\PkgGUID\Versions\VerGUID\Registry| -|Native|- Native application registry location| - -#### Connection Group VReg - -The registries in the following table are located in the Machine Registry\Client\PackageGroups\GrpGUID\ and User Registry Classes\Client\PackageGroups\GrpGUID\ folders. - -|Location|Description| -|---|---| -|COW|- Machine Registry\Client\PackageGroups\GrpGUID\REGISTRY (only elevate process can write)
    - User Registry\Client\PackageGroups\GrpGUID\REGISTRY (Anything written to HKCU except Software\Classes)
    - User Registry Classes\Client\PackageGroups\GrpGUID\REGISTRY| -|Package|- Machine Registry\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY
    - User Registry Classes\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY| -|Native|- Native application registry location| - -There are two COW locations for HKLM: elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first. - -### Pass-through keys - -An administrator can use pass-through keys to configure certain keys to only be read from the native registry, bypassing the Package and COW locations. Pass-through locations are global to the machine (not package-specific) and can be configured by adding the path to the key, which should be treated as pass-through to the **REG\_MULTI\_SZ** value called **PassThroughPaths** of the key HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry. Any key that appears under this multi-string value (and their children) will be treated as pass-through. - -The following locations are configured as pass-through locations by default: - -- HKEY\_CURRENT\_USER\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel - -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel - -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT - -- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application - -- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger - -- HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings - -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib - -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies - -- HKEY\_CURRENT\_USER\\SOFTWARE\\Policies - -The purpose of pass-through keys is to ensure that a virtual application doesn't write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally shouldn't modify any of the default pass-through keys, but in some instances, the admin may need to add more pass-through keys to adjust application behavior. - -## App-V package store behavior - -App-V manages the Package Store, which is the location where the expanded asset files from the appv file are stored. By default, this location is stored at %ProgramData%\\App-V, and is limited in terms of storage capabilities only by free disk space. The package store is organized by the GUIDs for the package and version as mentioned in the previous section. - -### Add packages - -App-V Packages are staged upon addition to the computer with the App-V Client. The App-V Client provides on-demand staging. When publishing or manually entering the **Add-AppVClientPackage** cmdlet, the data structure is built in the package store (C:\\programdata\\App-V\\{PkgGUID}\\{VerGUID}). The package files identified in the publishing block defined in the StreamMap.xml file are added to the system, and the top level folders and child files are staged to ensure proper application assets exist at launch. - -### Mounting packages - -Packages can be explicitly loaded by entering the **Mount-AppVClientPackage** PowerShell cmdlet or by using the **App-V Client UI** to download a package. This operation completely loads the entire package into the package store. - -### Streaming packages - -The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming. Policies are set by entering the **Set-AppvClientConfiguration** PowerShell cmdlet. The following policies apply to streaming: - -|Policy|Description| -|---|---| -|AllowHighCostLaunch|Allows streaming over 3G and cellular networks| -|AutoLoad|Specifies the Background Load setting:
    0 – Disabled
    1 – Previously Used Packages only
    2 – All Packages| -|PackageInstallationRoot|The root folder for the package store in the local machine| -|PackageSourceRoot|The root override where packages should be streamed from| -|SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios| - -These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that are important to understand: - -- Background Streaming -- Optimized Streaming -- Stream Faults - -### Background streaming - -The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they've been launched. - -### Optimized streaming - -App-V packages can be configured with a primary feature block during sequencing. This setting allows the sequencing engineer to monitor launch files for a specific application, or applications, and mark the blocks of data in the App-V package for streaming at first launch of any application in the package. - -### Stream faults - -After the initial stream of any publishing data and the primary feature block, requests for more files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This flexibility allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store. - -### Package upgrades - -App-V Packages require updating throughout the lifecycle of the application. App-V Package upgrades are like the package publish operation, as each version will be created in its own PackageRoot location: %ProgramData%\App-V\{PkgGUID}\{newVerGUID}. The upgrade operation is optimized by creating hard links to identical and streamed files from other versions of the same package. - -### Package removal - -The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server doesn't perform a Remove operation. Neither operation will remove the Package Store package files. - -## Roaming registry and data - -App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data don't roam from computer to computer, since they're in locations that aren't roamed. - -### Roaming requirements and user catalog data storage - -App-V stores data, which represents the state of the user’s catalog, in the form of: - -- Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog -- Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages - -Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V doesn't support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa. - ->[!NOTE] ->The **Repair-AppvClientPackage** cmdlet doesn't repair the publishing state of packages where the user’s App-V state under HKEY_CURRENT_USER is missing or mismatched with the data in %appdata%. - -### Registry-based data - -App-V registry roaming falls into two scenarios, as shown in the following table. - -|Scenario|Description| -|---|---| -|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This scenario presents two distinct paths:

    - HKLM's location is HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
    - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

    The locations are enabled for roaming based on the operating system settings.| -|Applications that are run with elevation|When an application is launched with elevation:

    - HKLM data is stored in the HKLM hive on the local computer
    - HKCU data is stored in the User Registry location

    In this scenario, these settings aren't roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

    - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
    - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE| - -### App-V and folder redirection - -App-V supports folder redirection of the roaming AppData folder (%AppData%). When the virtual environment is started, the roaming AppData state from the user’s roaming AppData directory is copied to the local cache. Conversely, when the virtual environment is shut down, the local cache that is associated with a specific user’s roaming AppData is transferred to the actual location of that user’s roaming AppData directory. - -A typical package has several locations mapped in the user’s backing store for settings in both AppData\\Local and AppData\\Roaming. These locations are the Copy on Write locations that are stored per user in the user’s profile, and that are used to store changes made to the package VFS directories and to protect the default package VFS. - -The following table shows local and roaming locations when folder redirection hasn't been implemented. - -| VFS directory in package | Mapped location of backing store | -|---|---| -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | -| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | -| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | -| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv_ROOT| -| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\AppData | - -The following table shows local and roaming locations when folder redirection has been implemented for %AppData% and the location has been redirected (typically to a network location). - -| VFS directory in package | Mapped location of backing store | -|---|---| -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | -| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | -| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | -| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT | -| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData | - -The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to more machines, where the process will be repeated. Here's what happens during the process: - -1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory. -2. If the roaming AppData path is local or no AppData\\Roaming location is mapped, nothing happens. -3. If the roaming AppData path isn't local, the VFS AppData directory is mapped to the local AppData directory. - -This process solves the problem of a non-local %AppData% that isn't supported by the App-V Client VFS driver. However, the data stored in this new location isn't roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things: - -1. Shuts down the App-V application, which also shuts down the virtual environment. -2. Compresses the local cache of the roaming AppData location and store it in a .zip file. -3. Uses the time stamp at the end of the .zip packaging process to name the file. -4. Records the time stamp in the HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\<GUID>\\AppDataTime registry as the last known AppData time stamp. -5. Calls the folder redirection process to evaluate and initiate the .zip file uploaded to the roaming AppData directory. - -The time stamp is used to determine a “last writer wins” scenario if there's a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process: - -1. The user starts an application, which also starts the virtual environment. -2. The application’s virtual environment checks for the most recent time stamped .zip file, if present. -3. The virtual environment checks the registry for the last known uploaded time stamp, if present. -4. The virtual environment downloads the most recent .zip file unless the local last known upload time stamp is greater than or equal to the time stamp from the .zip file. -5. If the local last known upload time stamp is earlier than that of the most recent .zip file in the roaming AppData location, the virtual environment extracts the .zip file to the local temp directory in the user’s profile. -6. After the .zip file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data moved into place. -7. The renamed directory is deleted and the application opens with the most recently saved roaming AppData data. - -This process completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things: - -1. During repair, detects if the path to the user’s roaming AppData directory isn't local. -2. Maps the non-local roaming AppData path targets, recreating the expected roaming and local AppData locations. -3. Deletes the time stamp stored in the registry, if present. - -This process will recreate both the local and network locations for AppData and remove the registry record of the time stamp. - -## App-V Client application lifecycle management - -In an App-V Full Infrastructure, after applications are sequenced, they're managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client. - -This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications). - -The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). - -### Publishing refresh - -The publishing refresh process comprises several smaller operations that are performed on the App-V Client. Since App-V is an application virtualization technology and not a task scheduling technology, the Windows Task Scheduler is utilized to enable the process when the user signs in, the machine turns on, and at scheduled intervals. The client configuration during setup listed in the previous section is the preferred method when distributing the client to a large group of computers with the correct settings. These client settings can be configured with the following Windows PowerShell cmdlets: - -- **Add-AppVPublishingServer** configures the client with an App-V Publishing Server that provides App-V packages. -- **Set-AppVPublishingServer** modifies the current settings for the App-V Publishing Server. -- **Set-AppVClientConfiguration** modifies the currents settings for the App-V Client. -- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This process is also utilized in the scheduled tasks created during configuration of the publishing server. - -The following sections will elaborate what goes on during the publishing refresh process. - -#### Adding an App-V package - -Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the **Add-AppVClientPackage** cmdlet in Windows PowerShell, except the publishing refresh add process contacts the configured publishing server and passes a high-level list of applications back to the client to pull more detailed information, rather than just doing a single package add operation. - -The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following steps are a detailed workflow of the process, assuming the package is configured for Fault Streaming. - -#### How to add an App-V package - -1. Initiate installation manually through Windows PowerShell or Task Sequence initiation of the Publishing Refresh process. - - 1. The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users. - - 2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send more requests to the server for more information on a per-package basis. - -2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group can't be processed. - -3. Configure the packages by identifying the **Add** or **Update** operations. - - 1. The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server. - - 2. The package file is opened and the **AppXManifest.xml** and **StreamMap.xml** files are downloaded to the Package Store. - - 3. Completely stream publishing block data defined in the **StreamMap.xml** file. Publishing block data is stored in Package Store\\PkgGUID\\VerGUID\\Root. - - - Icons: Targets of extension points. - - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types. - - Scripts: Download scripts directory for use throughout the publishing process. - - 4. Populate the Package store by performing the following sub-steps: - - 1. Create sparse files on disk that represent the extracted package for any directories listed. - - 2. Stage top-level files and directories under root. - - All other files are created when the directory is listed as sparse on disk and streamed on demand. - - 5. Create the machine catalog entries. Create the **Manifest.xml** and **DeploymentConfiguration.xml** files from the package files (if no **DeploymentConfiguration.xml** file in the package a placeholder is created). - - 6. Create location of the package store in the registry **HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog**. - - 7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**. - - 8. Register the package with the App-V Kernel Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**. - - 9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing. - -4. Configure Connection Groups by adding and enabling or disabling. - -5. Remove objects that aren't published to the target (user or machine). - - > [!NOTE] - >This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published). - -6. Invoke background load mounting based on client configuration. - -7. Packages that already have publishing information for the machine or user are immediately restored. - - > [!NOTE] - >This condition occurs as a product of removal without unpublishing with background addition of the package. - -This process completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). - -![Package add file and registry data.](images/packageaddfileandregistrydata.png) - -**Package add file and registry data** - -#### Publishing an App-V package - -During the Publishing Refresh operation, the specific publishing operation, **Publish-AppVClientPackage**, adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. - -#### How to publish an App-V package - -1. Package entries are added to the user catalog - - 1. User targeted packages: the **UserDeploymentConfiguration.xml** and **UserManifest.xml** files are placed on the machine in the User Catalog. - - 2. Machine targeted (global) packages: the **UserDeploymentConfiguration.xml** is placed in the Machine Catalog. - -2. Register the package with the kernel mode driver for the user at **HKLM\\Software\\Microsoft\\AppV\\MAV**. - -3. Perform integration tasks. - - 1. Create extension points. - - 2. Store backup information in the user’s registry and roaming profile (Shortcut Backups). - - > [!NOTE] - >This enables restore extension points if the package is unpublished. - - 3. Run scripts targeted for publishing timing. - -Publishing an App-V Package that is part of a Connection Group is similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. - -![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png) - -**Package add file and registry data—global** - -### Application launch - -After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is fast, and is optimized to minimize network traffic. - -#### How to launch App-V applications - -1. User launches the application by selecting a shortcut or file type invocation. - -2. The App-V Client verifies existence in the User Catalog for the following files - - - **UserDeploymentConfiguration.xml** - - **UserManifest.xml** - -3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There's no network traffic at this point. - -4. Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry. - -5. Upon finding the path to the package store, the virtual environment is created. - - If this process execution is the first launch, the Primary Feature Block downloads if present. - -6. After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded. - -7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis. - - ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png) - - **Package add file and registry data—stream** - -### Upgrading an App-V package - -The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. Such results reduce overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk. - -#### How to upgrade an App-V package - -1. The App-V Client performs a Publishing Refresh and discovers a newer version of an App-V Package. - -2. Package entries are added to the appropriate catalog for the new version. - - 1. User targeted packages: the **UserDeploymentConfiguration.xml** and **UserManifest.xml** files are placed on the machine in the user catalog at **appdata\\roaming\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID**. - - 2. Machine targeted (global) packages: the **UserDeploymentConfiguration.xml** is placed in the machine catalog at **%programdata%\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID**. - -3. Register the package with the kernel mode driver for the user at **HKLM\\Software\\Microsoft\\AppV\\MAV**. - -4. Perform integration tasks. - - 1. Integrate extensions points (EP) from the Manifest and Dynamic Configuration files. - - 2. File based EP data is stored in the AppData folder utilizing Junction Points from the package store. - - 3. Version 1 EPs already exist when a new version becomes available. - - 4. The extension points are switched to the Version 2 location in machine or user catalogs for any newer or updated extension points. - -5. Run scripts targeted for publishing timing. - -6. Install Side-by-Side assemblies as required. - -### Upgrading an in-use App-V package - -If you try to upgrade a package that is currently in use, the upgrade task is placed in a pending state. The upgrade will run later, according to the following rules: - -| Task type | Applicable rule | -|---|---| -| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user signs out and then signs back in. | -| Globally based tasks, such as enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. | - -When a task is placed in a pending state, the App-V Client also generates a registry key for the pending task, as follows: - -| User-based or globally based task | Where the registry key is generated | -|---|---| -| User-based tasks | HKEY\_CURRENT\_USER\Software\Microsoft\AppV\Client\PendingTasks | -| Globally based tasks | HKEY\_LOCAL\_MACHINE\Software\Microsoft\AppV\Client\PendingTasks | - -The following operations must be completed before users can use the newer version of the package: - -| Task | Details | -|---|---| -| Add the package to the computer | This task is computer-specific and you can perform it at any time by completing the steps in [How to add an App-V package](#how-to-add-an-app-v-package). | -| Publish the package | See the Package Publishing section above for steps. This process requires that you update extension points on the system. You can't complete this task while the application is in use. | - -Use the following example scenarios as a guide for updating packages. - -| Scenario | Requirements | -|---|---| -| App-V package isn't in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

    The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. | -| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it's queued and will be carried out later when the package isn't in use.

    If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

    If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.| - -### Global vs. user publishing - -App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package isn't in use, consider the two types of publishing: - -- Global publishing is when the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart. -- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it's published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands). - -### Removing an App-V package - -Removing App-V applications in a Full Infrastructure is an unpublish operation and doesn't perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages. - -### Repairing an App-V package - -The repair operation is easy to do but may affect many locations on the machine. The previously mentioned Copy on Write (COW) locations are removed, and extension points are deintegrated and then reintegrated. Before repairing, please review where the COW data placement locations are registered in the registry. To perform a Repair operation, all you need to do is initiate it from the App-V Client Console or through the **Repair-AppVClientPackage** PowerShell cmdlet. After that, the operation is completed automatically. - -## Integration of App-V packages - -The App-V Client and package architecture provides specific integration with the local operating system during the addition and publishing of packages. Three files define the integration or extension points for an App-V Package: - -- AppXManifest.xml is stored inside of the package with fallback copies stored in the package store and the user profile. Contains the options created during the sequencing process. -- DeploymentConfig.xml provides configuration information of computer- and user-based integration extension points. -- UserConfig.xml is a subset of the Deploymentconfig.xml file that only provides user-based configurations and only targets user-based extension points. - -### Rules of integration - -When App-V applications are published to a computer with the App-V Client, some specific actions take place as described in the following list: - -- Global Publishing: Shortcuts are stored in the All Users profile location and other extension points are stored in the registry in the HKLM hive. -- User Publishing: Shortcuts are stored in the current user account profile and other extension points are stored in the registry in the HKCU hive. -- Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing. - - 1. App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application. - 2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This transfer won't initiate a restore of the data or registry. - 3. Restore the backed-up data when the last package is unpublished or removed on a per-extension point basis. - -### Extension points - -The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that aren't installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section: - -- Shortcuts -- File type associations -- Shell extensions -- COM -- Software clients -- Application capabilities -- URL Protocol handler -- AppPath -- Virtual application - -### Shortcuts - -The shortcut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications. - -From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section as shown in the following example: - -```XML - - - [{Common Desktop}]\Adobe Reader.lnk - [{AppVPackageRoot}]\Reader\AcroRd32.exe - [{Windows}]\Installer\{AC76BA86-7AD7-1033-7B44-A94000000001}\SC_Reader.ico - - - 1 - [{AppVPackageRoot}]\Reader\AcroRd32.exe - - -``` - -As mentioned previously, the App-V shortcuts are placed by default in the user’s profile based on the refresh operation. Global refresh places shortcuts in the All Users profile and user refresh stores them in the specific user’s profile. The actual executable is stored in the Package Store. The location of the ICO file is a tokenized location in the App-V package. - -### File type associations - -Users can use file type invocations or open a file with a registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example: - -```XML - - - - .xdp - AcroExch.XDPDoc - application/vnd.adobe.xdp+xml - - - AcroExch.XDPDoc - Adobe Acrobat XML Data Package File - 65536 - [{Windows}]\Installer\{AC76BA86-7AD7-1033-7B44-A94000000001}\XDPFile_8.ico - - Read - - [{AppVPackageRoot}]\Reader\AcroRd32.exe - Open - "[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1" - - - [{AppVPackageRoot}]\Reader\AcroRd32.exe - Printto - "[{AppVPackageRoot}]\Reader\AcroRd32.exe" /t "%1" "%2" "%3" "%4" - - - [{AppVPackageRoot}]\Reader\AcroRd32.exe - Read - Open with Adobe Reader - "[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1" - - - - - -``` - ->[!NOTE] ->In this example: ->- `.xdp` is the extension ->- `AcroExch.XDPDoc` is the ProgId value (which points to the adjoining ProgId) ->- `"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"` is the command line, which points to the application executable - -### Shell extensions - -Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no extra setup or configuration on the client to enable the shell extension functionality. - -#### Requirements for using shell extensions - -- Packages that contain embedded shell extensions must be published globally. -- The “bitness” of the application, Sequencer, and App-V Client must match, or the shell extensions won’t work. The following example configuration fulfills the matching requirement: - - The version of the application is 64-bit. - - The Sequencer is running on a 64-bit computer. - - The package is being delivered to a 64-bit App-V Client computer. - -The following table displays the supported shell extensions. - -| Handler | Description | -|---|---| -| Context menu handler | Adds menu items to the context menu. it's called before the context menu is displayed. | -| Drag-and-drop handler | Controls the action upon right-click drag-and-drop and modifies the context menu that appears. | -| Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target, such as a file.| -| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide more clipboard formats to the drop target.| -| Property sheet handler| Replaces or adds pages to the property sheet dialog box of an object.| -| Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse-hover.| -| Column handler| Allows creating and displaying custom columns in Windows Explorer *Details view*. It can be used to extend sorting and grouping.| -| Preview handler| Enables a preview of a file to be displayed in the Windows Explorer Preview Pane.| - -### COM - -The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires more details. - -App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and In-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes Off, Isolated, and Integrated. Integrated mode is configured for either the Out-of-process or In-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml). - -For details on App-V integration, see [Microsoft Application Virtualization 5.0 Integration](/archive/blogs/appv/microsoft-application-virtualization-5-0-integration). - -### Software clients and application capabilities - -App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This specific support means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally. - -The following example illustrates a software client registration of an App-V-based mail client. - -```XML - - - - - - - Mozilla Thunderbird - Mozilla Thunderbird - [{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe,0 - - - "[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /SetAsDefaultAppGlobal - "[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /HideShortcuts - "[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /ShowShortcuts - - 1 - - - - [{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe - "[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe" -mail - - [{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll - - Thunderbird URL - 2 - [{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe,0 - - [{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe - "[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe" -osint -compose "%1" - - - - - - - -``` - ->[!NOTE] ->In this example: ->- `` is the overall Software Clients setting to integrate Email clients. ->- `` is the flag to set a particular Email client as the default Email client. ->- `[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll` is the MAPI dll registration. - -### URL Protocol handler - -Virtual applications don't always specifically utilize file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user selects the link expecting to access their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL Protocol handlers are automatically added to the package. - -For situations where there's more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that shouldn't be the primary application launched. - -### AppPath - -The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it's accomplished during publishing. - -The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For more information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0). - -### Virtual application - -This subsystem provides a list of applications captured during sequencing which is consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application. - -### Extension point rules - -The previously described extension points are integrated into the operating system based on how the packages have been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes). - -Extension points aren't all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they're delivered. Below is a table that describes these two key rules. - -|Virtual Extension|Requires target OS sequencing|Requires global publishing| -|---|:---:|:---:| -|Shortcut||| -|File Type Association||| -|URL Protocols|X|| -|AppPaths|X|| -|COM Mode||| -|Software Client|X|| -|Application Capabilities|X|X| -|Context Menu Handler|X|X| -|Drag-and-drop Handler|X|| -|Data Object Handler|X|| -|Property Sheet Handler|X|| -|Infotip Handler|X|| -|Column Handler|X|| -|Shell Extensions|X|| -|Browser Helper Object|X|X| -|Active X Object|X|X| - -## Dynamic configuration processing - -Deploying App-V packages to a single machine or user is simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files. - -App-V dynamic configuration lets you specify a package policy at either the machine or user levels. Sequencing engineers can use Dynamic Configuration files to modify the configuration of a package post-sequencing to address the needs of individual groups of users or machines. In some instances, it may be necessary to modify the application to provide proper functionality within the App-V environment. For example, you may need to modify the \_\*config.xml files to allow certain actions to be performed at a specified time while executing the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application. - -App-V packages contain the Manifest file inside of the App-V Package file, which is representative of sequencing operations and is the policy of choice unless Dynamic Configuration files are assigned to a specific package. Post-sequencing, the Dynamic Configuration files can be modified to allow an application to be published to different desktops or users with different extension points. The two Dynamic Configuration files are the Dynamic Deployment Configuration (DDC) and Dynamic User Configuration (DUC) files. This section focuses on the combination of the manifest and dynamic configuration files. - -### Examples of dynamic configuration files - -The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is to show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760). - -#### Manifest - -```XML - - - [{Common Programs}]\7-Zip\7-Zip File Manager.lnk - [{AppVPackageRoot}]\7zFM.exe - [{AppVPackageRoot}]\7zFM exe.O.ico - - -``` - -#### Deployment Configuration - -```XML - - - - - - - - - - -``` - -#### User Configuration - -```XML - - - - - [{Desktop}]\7-Zip\7-Zip File Manager.lnk - [{AppVPackageRoot}]\7zFM.exe - [{AppVPackageRoot}]\7zFM exe.O.ico - - - - - - - - [{Desktop}]\7-Zip\7-Zip File Manager.lnk - [{AppVPackageRoot}]\7zFM.exe - [{AppVPackageRoot}]\7zFM.exe.O.ico - - - [{Common Programs}]\7-Zip\7-Zip File Manager.Ink - [{AppVPackageRoot}]\7zFM.exe - [{AppVPackageRoot)]\7zFM.exe.O.ico - - - - - - - - - - - - -``` - -## Side-by-side assemblies - -App-V supports automatic packaging of side-by-side assemblies during sequencing and deployment on the client during virtual application publishing. App-V also supports capturing side-by-side assemblies during sequencing for assemblies not present on the sequencing machine. For assemblies consisting of Visual C++ (Version 8 and newer) or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they weren't installed during monitoring. - -The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer didn't capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to a bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This failure forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies. - -Side-by-side assembly support in App-V has the following features: - -- Automatic captures of side-by-side assembly during sequencing, regardless of whether the assembly was already installed on the sequencing workstation. -- The App-V Client automatically installs required side-by-side assemblies to the client computer at publishing time if they aren't already installed. -- The Sequencer reports the VC run-time dependency in Sequencer reporting mechanism. -- The Sequencer allows opting to not package assemblies already installed on the Sequencer, supporting scenarios where the assemblies have previously been installed on the target computers. - -### Automatic publishing of side-by-side assemblies - -During publishing of an App-V package with side-by-side assemblies, the App-V Client will check for the presence of the assembly on the machine. If it doesn't detect an assembly, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the side-by-side assembly installations in the base packages, as the connection groups don't contain any information about assembly installation. - ->[!NOTE] ->Unpublishing or removing a package with an assembly doesn't remove the assemblies for that package. - -## Client logging - -The App-V Client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer under **Applications and Services Logs\\Microsoft\\AppV\\Client**. - -There're three specific categories of events recorded: - -- **Admin** logs events for configurations applied to the App-V Client and also contains the primary warnings and errors. -- **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations. -- **Virtual Application** logs virtual application launches and use of virtualization subsystems. diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md deleted file mode 100644 index 310cac63128..00000000000 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Apply deployment config file via Windows PowerShell (Windows 10/11) -description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11. -author: aczechowski -ms.service: windows-client -ms.date: 06/15/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to apply the deployment configuration file by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. - -## Apply the deployment configuration file with Windows PowerShell - -> [!NOTE] -> The following example cmdlet uses the following two file paths for the package and configuration files: -> -> * C:\\Packages\\Contoso\\MyApp.appv -> * C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml -> -> If your package and configuration files use different file paths than the example, feel free to replace them as needed. - -To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet: - -```PowerShell -Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml -``` - ->[!NOTE] ->This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document: -> -> ```PowerShell -> Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml -> ``` - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md deleted file mode 100644 index cb64552879e..00000000000 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11) -description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11). -author: aczechowski -ms.service: windows-client -ms.date: 06/15/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to apply the user configuration file by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run. - -## Apply a user configuration file - -Here's how to specify a user-specific configuration file: - -> [!NOTE] -> The following example cmdlets use this example file path for its package: -> -> * C:\\Packages\\Contoso\\MyApp.appv. -> -> If your package file uses a different file path than the example, feel free to replace it as needed. - -1. Enter the following cmdlet in Windows PowerShell to add the package to the computer: - - ```PowerShell - Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv - ``` -2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file: - - ```PowerShell - Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml - ``` - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md deleted file mode 100644 index 415ade7895a..00000000000 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) -description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. - -Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This automatic customization load is applicable to all of the sequencing scenarios: - -- Using the **New-BatchAppVSequencerPackages** cmdlet -- Using the App-V Sequencer interface -- Using the **New-AppVSequencerPackage** cmdlet - ->[!NOTE] ->If you're trying to update multiple apps at the same time, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). - -### Sequence multiple apps with a PowerShell cmdlet - -Sequencing multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of sequencing. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. - -#### Create your ConfigFile for use by the PowerShell cmdlet - -1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. - -2. Add the following required XML info for each app: - - - ``````. The name of the app you're adding to the package. - - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - - ``````. The command-line options required for the app installation. - - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. - - ``````. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. - - **Example:** - - ```XML - - - - Skype for Windows - D:\Install\New\SkypeforWindows - SkypeSetup.exe - /S - 20 - True - True - - - Power BI - D:\Install\New\MicrosoftPowerBI - PBIDesktop.msi - /S - 20 - True - True - - - - ``` -3. Save your completed file, using the name **ConfigFile**. - -#### Start the App-V Sequencer interface and app installation process - -Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: - -```PowerShell -New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath -``` - -Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and `````` is the full path to where the sequenced packages should be copied. - -The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After the sequencing and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. - -### Review the log files - -There are three types of log files that occur when you sequence multiple apps at the same time: - -- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities for each app, such as "Copying installer to VM," "Scheduling sequencing task," and so on. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. -- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. -- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. - -### Related articles - -- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -- [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server) -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) -- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) -- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md deleted file mode 100644 index 4b2246bee42..00000000000 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) -description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Updating multiple apps at the same time follows a similar process to the one used for [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However, when updating, you'll also have to pass your previously created app package files to the App-V Sequencer cmdlet. - -Starting with Windows 10 version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. - ->[!NOTE] ->If you're trying to sequence multiple apps at the same time, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). - -## Update multiple apps with a PowerShell cmdlet - -Updating multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of updating. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. - -### Create your ConfigFile for use by the PowerShell cmdlet - -1. Determine the apps that need to be included in your app package, and then open a text editor, such as Notepad. - -2. Add the following XML info for each app: - - - ``````. The name of the app you're adding to the package. - - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - - ``````. The command-line options required for the app installation. - - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps. - - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. - - ``````. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. - - **Example:** - ```XML - - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - true - true - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - true - true - - - ``` - -3. Save your completed file under the name **ConfigFile**. - -### Start the App-V Sequencer interface and app installation process - -- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: - - ```PowerShell - New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath - ``` - Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed that you'll run the batch updating on, and `````` is the full path to where the updated packages should be copied. - - The cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This copy-operation opens a new session of the VM (through VMConnect), allowing app updates to begin from the command-line. After the update and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. - -## Update multiple apps with the App-V Sequencer interface - -Updating multiple apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. - -### Create your ConfigFile for use by the App-V Sequencer interface - -1. Determine the apps that need to be updated and then open a text editor, such as Notepad. - -2. Add the following XML info for each app: - - - ``````. The name of the app you're adding to the package. - - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps. - - ``````. The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. - - ``````. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. - - **Example:** - - ```XML - - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - false - true - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - false - true - - - ``` - -### Start the App-V Sequencer interface and app installation process - -- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: - - ```PowerShell - New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath - ``` - Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and `````` is the full path to where the updated packages should be copied. - - This cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect) and app updating begins from the command-line. After the updating and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted to a "clean" checkpoint and turned off. - -### Review the log files - -There are three types of log files that occur when you sequence multiple apps at the same time: - -- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about updating activities for each app, such as "Copying installer to VM," "Scheduling updating task," and so on. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. -- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. -- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the **NewAppVSequencerPackage** cmdlet, including the allowed parameters. - -### Related articles - -- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -- [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server) -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) -- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) -- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md deleted file mode 100644 index d56ea57fc80..00000000000 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Auto-remove unpublished packages on App-V client (Windows 10/11) -description: How to automatically clean up any unpublished packages on your App-V client devices. -author: aczechowski -ms.service: windows-client -ms.date: 06/15/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Automatically clean up unpublished packages on the App-V client - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Starting with Windows 10 version 1703, use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. - -## Clean up with PowerShell cmdlets - -You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting, which will automatically clean up your unpublished App-V packages from your App-V client devices. - -### Turn on the AutoCleanupEnabled option - -1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package cleanup functionality: - - ```PowerShell - Set-AppvClientConfiguration -AutoCleanupEnabled 1 - ``` - - After running the cmdlet, you should see the following info on the PowerShell screen: - - |Name|Value|SetbyGroupPolicy| - |---|---|---| - |AutoCleanupEnabled|1|False| - -1. Run the following cmdlet to check if the configuration has the cleanup setting turned on. - - ```PowerShell - Get-AppvClientConfiguration - ``` - If the **AutoCleanupEnabled** option shows a value of **1** in the configuration list, that means the setting is turned on. - -## Clean up with Group Policy settings - -Using Group Policy, you can turn on the **Enable automatic cleanup of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices. - -### Turn on the Enable automatic cleanup of unused App-V packages setting - -1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting. - -2. Select **Enabled**, then select **OK**. - - After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client. - - - - - -## Related articles - -- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -- [Deploying App-V for Windows client](appv-deploying-appv.md) -- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md deleted file mode 100644 index 50e6dd4a877..00000000000 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) -description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Starting with Windows 10 version 1703, the `New-AppVSequencerVM` and `Connect-AppvSequencerVM` Windows PowerShell cmdlets are available, which automatically create your sequencing environment for you, including provisioning your virtual machine. - -## Automatic VM provisioning of the sequencing environment - -You have two options for provisioning a VM for auto-sequencing: - -1. Using a Virtual Hard Disk (VHD) -2. Updating an existing VM - -You can only choose one option. - ->[!NOTE] ->We have reduced the number of environmental checks performed by the App-V Sequencer, narrowing down the list of apps that need to be disabled or turned off for a clean sequencing experience. We've also suppressed antivirus and other similar app warnings. - -### Provision a new VM with a VHD file - -Provisioning your new VM includes creating a VHD file, setting up a user account, turning on remote PowerShell scripting, and installing the App-V Sequencer. - -#### Create a VHD file - -For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0) command-line tool. - -#### Create a VHD file with the Convert-WindowsImage command-line tool - -1. Open PowerShell as an admin and run the **Convert-WindowsImage** tool, using the following commands: - - ```ps1 - Convert-WindowsImage -SourcePath "" -VHDFormat "VHD" -VHDPartitionStyle "MBR" - ``` - Where `````` is the full path to your ISO image. - ->[!IMPORTANT] ->You must specify the *VHDPartitionStyle* as **MBR**. If you use the default value, **GPT**, will cause a boot failure in your VHD image. - -#### Provision your VM with your VHD file - -After you have a VHD file, you must provision your VM for auto-sequencing. - -1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). -2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server). -3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: - - ```PowerShell - New-AppVSequencerVM -VMName "" -ADKPath "" -VHDPath "" -VMMemory "" -VMSwitch "" - ``` - - This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start. - -### Provision an existing VM for auto-sequencing - -If your apps require custom prerequisites, such as Microsoft SQL Server, we recommend that you preinstall the prerequisites on your VM and then use that VM for auto-sequencing. Using these steps will establish a connection to your existing VM. - -#### Connect to your existing VM - -- Open PowerShell as an admin and run the following commands on your existing VM: - - - **Set the network category of your connection profile on the VM to _Private_:** - - ```PowerShell - Get-netconnectionprofile | set-netconnectionprofile -NetworkCategory Private - ``` - - - **Enable firewall rules for _Remote Desktop_ and _Windows Remote Management_:** - - ```PowerShell - Enable-NetFirewallRule -DisplayGroup “Remote Desktop” - Enable-NetFirewallRule -DisplayGroup “Windows Remote Management” - ``` - - - **Set the VM to receive remote commands without a confirmation prompt:** - - ```PowerShell - Enable-PSRemoting –Force - ``` - -#### Provision an existing VM - -1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). - -2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: - - ```ps1 - Connect-AppvSequencerVM -VMName "" - ``` - - Where `````` is the name of the VM as shown in the Hyper-V Manager tool. - -This command connects to an existing Hyper-V VM using the provided VM name for auto-sequencing. - -### Review the provisioning log files - -The two types of provisioning log files, located at %temp%\AutoSequencer\Logs, are: - -- **New-AppVSequencerVM-.txt**. Includes info about the provisioning activities, such as "Waiting for VM session", "Copying installer for Sequencer", and so on. -- **Connect-AppvSequencerVM-report-.txt**. Includes info about the connections made to the VM, showing whether there were any failures. - -### Next steps - -After provisioning your sequencing environment, you must sequence your apps, either as a group or individually. For more info about sequencing your apps, see the following articles - -- [Manually sequence a single new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - -After you sequence your packages, you can automatically clean up any unpublished packages on the App-V client. To learn more, see [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md). - -### Related articles - -- [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0) -- [Download the Windows ADK](/windows-hardware/get-started/adk-install) -- [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server) diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md deleted file mode 100644 index 32afb3de6ba..00000000000 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11) -description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. -author: aczechowski -ms.service: windows-client -ms.date: 06/15/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Available Mobile Device Management (MDM) settings for App-V - -Starting with Windows 10 version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. - -|Policy name|Supported versions|URI full path|Data type|Values| -|---|---|---|---|---| -|Name|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| -|Version|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| -|Publisher|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| -|InstallLocation|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| -|InstallDate|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| -|Users|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| -|AppVPackageID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| -|AppVVersionID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| -|AppVPackageUri|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| -|LastError|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| -|LastErrorDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
    - **1**: Unpublish groups failed during publish.
    - **2**: Publish no-group packages failed during publish.
    - **3**: Publish group packages failed during publish.
    - **4**: Unpublish packages failed during publish.
    - **5**: New policy write failed during publish.
    - **6**: Multiple non-fatal errors occurred during publish.| -|SyncStatusDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
    - **1**: App-V connection groups publish in progress.
    - **2**: App-V packages (non-connection group) publish in progress.
    - **3**: App-V packages (connection group) publish in progress.
    - **4**: App-V packages unpublish in progress.| -|SyncProgress|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
    - **1**: App-V Sync is initializing.
    - **2**: App-V Sync is in progress.
    - **3**: App-V Sync is complete.
    - **4**: App-V Sync requires device reboot.| -|PublishXML|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| -|Policy|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md deleted file mode 100644 index 5d052067c57..00000000000 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ /dev/null @@ -1,198 +0,0 @@ ---- -title: App-V Capacity Planning (Windows 10/11) -description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# App-V Capacity Planning - ->Applies to: Windows Server 2016 - -The following recommendations can be used as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. - ->[!IMPORTANT] ->Use the information in this section only as a general guide for planning your App-V deployment. Your system capacity requirements will depend on the specific details of your hardware and application environment. Additionally, the performance numbers displayed in this document are examples and your results may vary. - -## Determine the project scope - -Before you design the App-V infrastructure, determining which applications will be available virtually, and also identify the target users and their locations. This information will determine what type of App-V infrastructure your project should implement. You should base your decisions about your project's scope on your organization's specific needs. - -|Task|More information| -|----|----------------| -|Determine application scope|The App-V infrastructure can be set up in different ways depending on which applications you want to virtualize. This customization in set up means your first task is to define which applications you want to virtualize.| -|Determine location scope|"Location scope" refers to the physical locations where you plan to run the virtualized applications (for example, enterprise-wide or a specific geographic location). It can also refer to the user population that will run the virtual applications (for example, a single department). You should obtain a network map that includes the connection paths, the available bandwidth for each location, the number of users using virtualized applications, and the WAN link speed.| - -## Determine which App-V infrastructure is required - -You can also manage your App-V environment using an electronic software distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md). - -* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios: - - * When there are disconnected remote users who can't connect to the App-V infrastructure. - * When you're running a software management system, such as Configuration Manager. - * When network bandwidth limitations inhibit electronic software distribution. -* **Full infrastructure model**—The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V full infrastructure model consists of one or more App-V management servers that can be used to publish applications to all clients. Publishing places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about how to install the management server, see [Planning for App-V Server deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios: - - * When you want to use the Management Server to publish the application to target computers. - * For rapid provisioning of applications to target computers. - * When you want to use App-V reporting. - ->[!IMPORTANT] ->The App-V full infrastructure model requires Microsoft SQL Server to store configuration data. For more information, see [App-V supported configurations](appv-supported-configurations.md). - -## End-to-end server sizing guidance - -The following section describes end-to-end App-V sizing and planning. For more specific information, refer to the subsequent sections. - ->[!NOTE] ->Round trip response time on the client is the time taken by the computer running the App-V client to receive a successful notification from the publishing server. Round trip response time on the publishing server is the time taken by the computer running the publishing server to receive a successful package metadata update from the management server. - -* 20,000 clients can target a single publishing server to obtain the package refreshes in an acceptable round trip time (<3 seconds). -* A single management server can support up to 50 publishing servers for package metadata refreshes in an acceptable round trip time (<5 seconds). - -## App-V Management Server capacity planning recommendations - -The App-V publishing servers require the management server for package refresh requests and package refresh responses. The management server then sends the information to the management database to retrieve information. For more information about App-V management server supported configurations, see [App-V supported configurations](appv-supported-configurations.md). - ->[!NOTE] ->The default refresh time on the App-V publishing server is ten minutes. - -When multiple simultaneous publishing servers contact a single management server for package metadata refreshes, the following three factors will influence the publishing server's round-trip response time: - -1. The number of publishing servers making simultaneous requests. -2. The number of connection groups configured on the management server. -3. The number of access groups configured on the management server. - -The following table describes each factor that impacts round-trip time in more detail. - ->[!NOTE] ->Round trip response time is the time taken by the computer running the App-V publishing server to receive a successful package metadata update from the management server. - -|Factors impacting round-trip response time|Description| -|------------------------------------------|-----------| -|The number of publishing servers simultaneously requesting package metadata refreshes.|A single management server can respond to up to 320 publishing servers simultaneously requesting publishing metadata. For example, in a case with 30 publishing servers simultaneously requesting publishing metadata, the round-trip response time is about 40 seconds, while for less than 50 servers it's less than 5 seconds. From 50 to 320 publishing servers, response team increases linearly (approximately 2×).| -|The number of connection groups configured on the management server.|For up to 100 connection groups, there's no significant change in the round-trip response time on the publishing server. For 100–400 connection groups, there's a minor linear increase in the round-trip response time.| -|The number of access groups configured on the management server.|For up to 40 access groups, there's a linear (approximately 3×) increase in the round-trip response time on the publishing server.| - -The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-V management server. - -|Scenario|Variation|Number of connection groups|Number of access groups|Number of publishing servers|Network connection type|Round-trip response time (seconds)|Management server CPU utilization| -|---|---|---|---|---|---|---|---| -|Publishing servers contact management server for publishing metadata at same time|Number of publishing servers.|0
    0
    0
    0
    0
    0|1
    1
    1
    1
    1
    1|50
    100
    200
    300
    315
    320|LAN|5
    10
    19
    32
    30
    37|17
    17
    17
    15
    17
    15| -|Publishing metadata contains connection groups|Number of connection groups|10
    20
    100
    150
    300
    400|1
    1
    1
    1
    1
    1|100
    100
    100
    100
    100
    100|LAN|10
    11
    11
    16
    22
    25|17
    19
    22
    19
    20
    20| -|Publishing metadata contains access groups|Number of access groups|0
    0
    0
    0|1
    10
    20
    40|100
    100
    100
    100|LAN|10
    43
    153
    535|17
    26
    24
    24| - -The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example, transactions/sec is approximately 30, batch requests approximately 200, and user connects approximately six. - -Through a geographically distributed deployment, where the management server and publishing servers utilize a slow link network between them, the round-trip response time on the publishing servers is within acceptable time limits (<5 seconds), even for 100 simultaneous requests on a single management server. - -|Scenario|Variation|Number of connection groups|Number of access groups|Number of publishing servers|Network connection type|Round-trip response time (seconds)|Management server CPU utilization (in %)| -|---|---|---|---|---|---|---|---| -|Network connection between the publishing server and management server|1.5 Mbps Slow link Network|0
    0|1
    1|50
    100|1.5 Mbps Cable DSL|4
    5|1
    2| -|Network connection between the publishing server and management server|LAN/WiFi Network|0
    0|1
    1|100
    200|WiFi|11
    20|15
    17| - -Whether the management server and publishing servers are connected over a slow link network, or a high speed network, the management server can handle approximately 15,000 package refresh requests in 30 minutes. - -## App-V Reporting Server capacity planning recommendations - -App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about the App-V Reporting Server's supported configurations, see [App-V supported configurations](appv-supported-configurations.md). - ->[!NOTE] ->Round-trip response time is the time taken by the computer running the App-V client to send the reporting information to the reporting server and receive a successful notification from the reporting server. - -|Scenario|Summary| -|---|---| -|Multiple App-V clients send reporting information to the reporting server simultaneously.|Round-trip response time from the reporting server is 2.6 seconds for 500 clients. Round-trip response time from the reporting server is 5.65 seconds for 1000 clients. Round-trip response time increases linearly depending on number of clients.| -|Requests per second processed by the reporting server.|A single reporting server and a single database can process a maximum of 139 requests per second. The average is 121 requests/second. With the help of two reporting servers that report to the same Microsoft SQL Server database, the average requests/second, like a single reporting server, is about 127, with a max of 278 requests/second. A single reporting server can process 500 concurrent/active connections. A single reporting server can process a maximum 1,500 concurrent connections.| -|Reporting database.|Lock contention on the computer running Microsoft SQL Server is the limiting factor for requests/second. Throughput and response time are independent of database size.| - -### Calculating random delay - -The random delay specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between **0** and **ReportingRandomDelay** and will wait the specified duration before sending data. - -*Random delay = 4 × number of clients/average requests per second*. - -Example: Random delay for 500 clients with 120 requests per second is *4 × 500/120 = about 17 minutes*. - -## App-V publishing server capacity planning recommendations - -Computers running the App-V client connect to the App-V publishing server to send a publishing refresh request and receive a response. Round trip response time is measured on the computer running the App-V client, while processor time is measured on the publishing server. For more information about App-V Publishing Server supported configurations, see [App-V supported configurations](appv-supported-configurations.md). - -> [!IMPORTANT] -> The following list displays the main factors to consider when setting up the App-V publishing server: -> * The number of clients connecting simultaneously to a single publishing server. -> * The number of packages in each refresh. -> * The available network bandwidth in your environment between the client and the App-V publishing server. - -|Scenario|Summary| -|---|---| -|Multiple App-V clients connect to a single publishing server simultaneously.|A publishing server running dual core processors can respond to at most 5000 clients requesting a refresh simultaneously. For 5,000–10,000 clients, the publishing server requires a minimum quad core. For 10,000–20,000 clients, the publishing server should have dual quad cores for more efficient response times. A publishing server with a quad core can refresh up to 10,000 packages within three seconds. (Supports 10,000 simultaneous clients.)| -|Number of packages in each refresh.|Increasing number of packages will increase response time by about 40% (up to 1,000 packages).| -|Network between the App-V client and the publishing server.|Across a slow network (1.5-Mbps bandwidth), there's a 97% increase in response time compared to LAN (up to 1,000 users).| - ->[!NOTE] ->The publishing server CPU usage is always high during the time interval when it must process simultaneous requests (>90% in most cases). The publishing server can handle about 1,500 client requests in one second. - -|Scenario|Variation|Number of App-V clients|Number of packages|Processor configuration on publishing server|Network connection type|App-V client round-trip time (in seconds)|Publishing server CPU utilization (in %)| -|---|---|---|---|---|---|---|---| -|App-V client sends publishing refresh request and receives response, each request containing 120 packages|Number of clients|100
    1,000
    5,000
    10,000|120
    120
    120
    120|Dual Core
    Dual Core
    Quad Core
    Quad Core|LAN|1
    2
    2
    3|100
    99
    89
    77| -|Multiple packages in each refresh.|Number of packages|1,000
    1,000|500
    1,000|Quad Core|LAN|2
    3|92
    91| -|Network between client and publishing server.|1.5 Mbps Slow link network|100
    500
    1,000|120
    120
    120|Quad Core|1.5-Mbps intra-continental network|3
    10 (0.2% failure rate)
    7 (1% failure rate)|| - -## App-V streaming capacity planning recommendations - -Computers running the App-V client stream the virtual application package from the streaming server. Round trip response time is measured on the computer running the App-V client, and is the time taken to stream the entire package. - -> [!IMPORTANT] -> The following list identifies the main factors to consider when setting up the App-V streaming server: -> * The number of clients streaming application packages simultaneously from a single streaming server. -> * The size of the package being streamed. -> * The available network bandwidth in your environment between the client and the streaming server. - -|Scenario|Summary| -|---|---| -|Multiple App-V clients stream applications from a single streaming server simultaneously.|If the number of clients simultaneously streaming from the same server increases, there's a linear relationship with the package download/streaming time.| -|Size of the package being streamed.|The package size has a significant impact on the streaming/download time only for larger packages with a size of about 1 GB. For package sizes ranging from 3 MB to 100 MB, the streaming time ranges from 20 seconds to 100 seconds, with 100 simultaneous clients.| -|Network between the App-V client and the streaming server.|Across a slow network (1.5-Mbps bandwidth), there's a 70–80% increase in response time compared to LAN (up to 100 users).| - -The following table displays sample values for each of the factors in the previous list: - -|Scenario|Variation|Number of App-V clients|Size of each package|Network connection type|Round-trip time on the App-V client (in seconds)| -|---|---|---|---|---|---| -|Multiple App-V clients streaming virtual application packages from a streaming server.|Number of clients.|100
    200
    1,000
    100
    200
    1,000|3.5 MB
    3.5 MB
    3.5 MB
    5 MB
    5 MB
    5 MB|LAN|29
    39
    391
    35
    68
    461| -|Size of each package being streamed.|Size of each package.|100
    200
    100
    200|21 MB
    21 MB
    109 MB
    109 MB|LAN|33
    83
    100
    160| -|Network connection between client and App-V streaming server.|1.5 Mbps Slow link network.|100
    100|3.5 MB
    5 MB|1.5-Mbps intra-continental network|102
    121| - -Each App-V streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications. - ->[!NOTE] ->The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions. - -For example, an average user can stream a 100-MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real-world environments, streaming demand isn't uniformly distributed, you'll need to understand the approximate peak streaming requirements present in your environment to properly size the number of required streaming servers. - -The number of clients a streaming server can support can be increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages. - -## Combining App-V server roles - -Discounting scaling and fault-tolerance requirements, the minimum number of servers that a location with Active Directory connectivity needs to function is 1. This server will host the management server, management server service, and Microsoft SQL Server roles. This coverage means that you can arrange server roles in any combination you like, as they don't conflict with one another. - -Notwithstanding scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure. - -Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working. - - - - - -## Related articles - -* [App-V supported configurations](appv-supported-configurations.md) -* [Planning for high availability with App-V](appv-planning-for-high-availability-with-appv.md) -* [Planning to deploy App-V](appv-planning-to-deploy-appv.md) diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md deleted file mode 100644 index c7b029ac7a4..00000000000 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ /dev/null @@ -1,114 +0,0 @@ ---- -title: About Client Configuration Settings (Windows 10/11) -description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# About Client Configuration Settings - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). - -You can use Group Policy to configure App-V client settings by navigating to the **Group Policy management console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. - -## App-V Client Configuration Settings: Windows PowerShell - -The following table provides information about App-V client configuration settings that can be configured through Windows PowerShell cmdlets: - - -| Windows PowerShell cmdlet or cmdlets,
    **Option**
    Type | Description | Disabled policy state keys and values | -|------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageInstallationRoot**
    String | Specifies directory where all new applications and updates will be installed. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageSourceRoot**
    String | Overrides source location for downloading package content. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-AllowHighCostLaunch**
    True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows client machines connected by a metered network connection (for example, 4G). | 0 | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentRetries**
    Integer (0–99) | Specifies the number of times to retry a dropped session. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentInterval**
    Integer (0–3600) | Specifies the number of seconds between attempts to reestablish a dropped session. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-LocationProvider**
    String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-CertFilterForClientSsl**
    String | Specifies the path to a valid certificate in the certificate store. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VerifyCertificateRevocationList**
    True (enabled); False (Disabled state) | Verifies Server certificate revocation status before streaming with HTTPS. | 0 | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-SharedContentStoreMode**
    True (enabled); False (Disabled state) | Specifies that streamed package contents will not be saved to the local hard disk. | 0 | -| Set-AppvPublishingServer

    **-Name**
    String | Displays the name of publishing server. | Policy value not written (same as Not Configured) | -| Set-AppvPublishingServer

    **-URL**
    String | Displays the URL of publishing server. | Policy value not written (same as Not Configured) | -| Set-AppvPublishingServer

    **-GlobalRefreshEnabled**
    True (enabled); False (Disabled state) | Enables global publishing refresh (Boolean) | False | -| Set-AppvPublishingServer

    **-GlobalRefreshOnLogon**
    True (enabled); False (Disabled state) | Triggers a global publishing refresh on sign in. (Boolean) | False | -| Set-AppvPublishingServer

    **-GlobalRefreshInterval**
    Integer (0–744) | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, specify 0. | 0 | -| Set-AppvPublishingServer

    **-GlobalRefreshIntervalUnit**
    0 for hour, 1 for day | Specifies the interval unit (Hour 0–23, Day 0–31). | 1 | -| Set-AppvPublishingServer

    **-UserRefreshEnabled**
    True (enabled); False (Disabled state) | Enables user publishing refresh (Boolean) | False | -| Set-AppvPublishingServer

    **-UserRefreshOnLogon**
    True (enabled); False (Disabled state) | Triggers a user publishing refresh on sign in. (Boolean) Word count (with spaces): 60 | False | -| Set-AppvPublishingServer

    **-UserRefreshInterval**
    Word count (with spaces): 85
    Integer (0–744 Hours) | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. | 0 | -| Set-AppvPublishingServer

    **-UserRefreshIntervalUnit**
    0 for hour, 1 for day | Specifies the interval unit (Hour 0–23, Day 0–31). | 1 | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-MigrationMode**
    True (enabled state); False (Disabled state) | Migration mode allows the App-V client to modify shortcuts and FTAs for packages created by a previous version of App-V. | | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePackageScripts**
    True (enabled); False (Disabled state) | Enables scripts defined in the package manifest of configuration files that should run. | | -| Set-AppvClientConfiguration

    **-RoamingFileExclusions**
    String | Specifies the file paths relative to %userprofile% that don't roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'``` | | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-RoamingRegistryExclusions**
    String | Specifies the registry paths that don't roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients``` | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootUser**
    String | Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootGlobal**
    String | Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VirtualizableExtensions**
    String | A comma-delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command-line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md). | Policy value not written | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingEnabled**
    True (enabled); False (Disabled state) | Returns information to a reporting server. | False | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingServerURL**
    String | Specifies the location on the reporting server where client information is saved. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataCacheLimit**
    Integer \[0–1024\] | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataBlockSize**
    Integer \[1024 - Unlimited\] | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This limit can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingStartTime**
    Integer (0–23) | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0–23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
    **Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingInterval**
    Integer | Specifies the retry interval that the client will use to resend data to the reporting server. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\] | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This method can help to prevent collisions on the server. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    -EnableDynamicVirtualization
    1 (Enabled), 0 (Disabled) | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. | | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled) | Enables the publishing refresh progress bar for the computer running the App-V Client. | | -| Sync-AppvPublishingServer

    **-HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled) | Hides the publishing refresh progress bar. | | -| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ProcessesUsingVirtualComponents**
    String | Specifies a list of process paths (that may contain wildcards) that are candidates for using dynamic virtualization (such as supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. | Empty string. | - -## App-V client configuration settings: registry keys - -The following table provides information about App-V client configuration settings that can be configured through the registry: - - -| **Setting name**
    Type | Registry key value | Disabled policy state keys and values | -|--------------------------------------------------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------| -| **PackageInstallationRoot**
    String | Streaming\\PackageInstallationRoot | Policy value not written (same as Not Configured) | -| **PackageSourceRoot**
    String | Streaming\\PackageSourceRoot | Policy value not written (same as Not Configured) | -| **AllowHighCostLaunch**
    True (Enabled); False (Disabled state) | Streaming\\AllowHighCostLaunch | 0 | -| **ReestablishmentRetries**
    Integer (0–99) | Streaming\\ReestablishmentRetries | Policy value not written (same as Not Configured) | -| **ReestablishmentInterval**
    Integer (0–3600) | Streaming\\ReestablishmentInterval | Policy value not written (same as Not Configured) | -| **LocationProvider**
    String | Streaming\\LocationProvider | Policy value not written (same as Not Configured) | -| **CertFilterForClientSsl**
    String | Streaming\\CertFilterForClientSsl | Policy value not written (same as Not Configured) | -| **VerifyCertificateRevocationList**
    True (Enabled); False (Disabled state) | Streaming\\VerifyCertificateRevocationList | 0 | -| **SharedContentStoreMode**
    True (Enabled); False (Disabled state) | Streaming\\SharedContentStoreMode | 0 | -| **Name**
    String | Publishing\\Servers{serverId}\\FriendlyName | Policy value not written (same as Not Configured) | -| **URL**
    String | Publishing\\Servers{serverId}\\URL | Policy value not written (same as Not Configured) | -| **GlobalRefreshEnabled**
    True (Enabled); False (Disabled state) | Publishing\\Servers{serverId}\\GlobalEnabled | False | -| **GlobalRefreshOnLogon**
    True (Enabled); False (Disabled state) | Publishing\\Servers{serverId}\\GlobalLogonRefresh | False | -| **GlobalRefreshInterval**
    Integer (0–744) | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshInterval | 0 | -| **GlobalRefreshIntervalUnit**
    0 for hour, 1 for day | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshIntervalUnit | 1 | -| **UserRefreshEnabled**
    True (Enabled); False (Disabled state) | Publishing\\Servers{serverId}\\UserEnabled | False | -| **UserRefreshOnLogon**
    True (Enabled); False (Disabled state) | Publishing\\Servers{serverId}\\UserLogonRefresh | False | -| **UserRefreshInterval**
    Word count (with spaces): 85; Integer (0–744 Hours) | Publishing\\Servers{serverId}\\UserPeriodicRefreshInterval | 0 | -| **UserRefreshIntervalUnit**
    0 for hour, 1 for day | Publishing\\Servers{serverId}\\UserPeriodicRefreshIntervalUnit | 1 | -| **MigrationMode**
    True(Enabled state); False (Disabled state) | Coexistence\\MigrationMode | | -| **EnablePackageScripts**
    True (Enabled); False (Disabled state) | \\Scripting\\EnablePackageScripts | | -| **RoamingFileExclusions**
    String | | | -| **RoamingRegistryExclusions**
    String | Integration\\RoamingRegistryExclusions | Policy value not written (same as Not Configured) | -| **IntegrationRootUser**
    String | Integration\\IntegrationRootUser | Policy value not written (same as Not Configured) | -| **IntegrationRootGlobal**
    String | Integration\\IntegrationRootGlobal | Policy value not written (same as Not Configured) | -| **VirtualizableExtensions**
    String | Integration\\VirtualizableExtensions | Policy value not written | -| **ReportingEnabled**
    True (Enabled); False (Disabled state) | Reporting\\EnableReporting | False | -| **ReportingServerURL**
    String | Reporting\\ReportingServer | Policy value not written (same as Not Configured) | -| **ReportingDataCacheLimit**
    Integer \[0–1024\] | Reporting\\DataCacheLimit | Policy value not written (same as Not Configured) | -| **ReportingDataBlockSize**
    Integer \[1024–Unlimited\] | Reporting\\DataBlockSize | Policy value not written (same as Not Configured) | -| **ReportingStartTime**
    Integer (0–23) | Reporting\\ StartTime | Policy value not written (same as Not Configured) | -| **ReportingInterval**
    Integer | Reporting\\RetryInterval | Policy value not written (same as Not Configured) | -| **ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\] | Reporting\\RandomDelay | Policy value not written (same as Not Configured) | -| EnableDynamicVirtualization
    1 (Enabled), 0 (Disabled) | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Virtualization | | -| **EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled) | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Publishing | | -| **HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled) | | | -| **ProcessesUsingVirtualComponents**
    String | Virtualization\\ProcessesUsingVirtualComponents | Empty string. | - -## Related topics - -* [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md) diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md deleted file mode 100644 index 23f43e8cb3a..00000000000 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: How to configure access to packages by using the Management Console (Windows 10/11) -description: How to configure access to packages by using the App-V Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 06/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to configure access to packages by using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group. - -Use the following procedure to configure access to virtualized packages. - -## Grant access to an App-V package - -1. Find the package you want to configure: - - 1. Open the App-V Management console. - - 1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD Access** page. Alternatively, select the package and select **Edit** in the **AD Access** pane. - -2. Provision a security group for the package: - - 1. Go to the **Find valid Active Directory names and grant access** page. - - 1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**. - - > [!NOTE] - > Ensure that you provide an associated domain name for the group that you are searching for. - -3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane. - -4. Select **Close** to accept the default configuration settings and close the AD Access page. - - To customize configurations for a specific group, select the **Assigned configurations** drop-down menu, then select **Custom**. To make changes to your custom configurations, select **Edit**. After you grant access, select **Close**. - -## Remove access to an App-V package - -1. Find the package you want to configure: - - 1. Open the App-V Management console. - - 1. To display the **AD Access** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **Edit** in the **AD Access** pane. - -2. Select the group you want to remove, then select **Delete**. - -3. Select **Close**. - - - - - -## Related articles - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md deleted file mode 100644 index 9524c2d4474..00000000000 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: How to make a connection group ignore the package version (Windows 10/11) -description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 06/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to make a connection group ignore the package version - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create. - -You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group. - -- If the connection group has access to multiple versions of a package, App-V will use the latest version. - -- If the connection group contains an optional package with an incorrect version, App-V ignores the package and won't block the connection group's virtual environment from being created. - -- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection group's virtual environment. - -## Make a connection group ignore the package version with the App-V Server Management Console - -1. In the Management Console, select **Connection Groups**. - -2. Select the correct connection group from the Connection Groups library. - -3. Select **Edit** in the Connected Packages pane. - -4. Select the **Use Any Version** check box next to the package name, then select **Apply**. - -For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md). - -## Make a connection group ignore the package version from the App-V client on a stand-alone computer - -1. Create the connection group XML document. - -2. Set the **Package** tag attribute **VersionID** to an asterisk (*) to upgrade the package. - -3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group: - - ```PowerShell - Add-AppvClientConnectionGroup - ``` - - For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](/powershell/module/appvclient/add-appvclientconnectiongroup). - -4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package: - - - [**Remove-AppvClientPackage**](/powershell/module/appvclient/remove-appvclientpackage) - - [**Add-AppvClientPackage**](/powershell/module/appvclient/add-appvclientpackage) - - [**Publish-AppvClientPackage**](/powershell/module/appvclient/publish-appvclientpackage) - -For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md). - - - - - -## Related articles - -- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md deleted file mode 100644 index c8e45c8af10..00000000000 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11) -description: How to configure the client to receive package and connection groups updates from the publishing server. -author: aczechowski -ms.service: windows-client -ms.date: 06/25/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to configure the client to receive package and connection groups updates from the publishing server - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date. - -This article will tell you how to configure the App-V client to receive updates from the publishing server. - ->[!NOTE] ->The following example has the management server installed on a computer named **MyMgmtSrv**, and the publishing server installed on a computer named **MyPubSrv**. If the computers you'll be configuring the App-V client on have different names, you should replace the example's names with your computer's names. - -## Configure the App-V client to receive updates from the publishing server - -1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to create a connection group](appv-create-a-connection-group.md). -2. To open the management console, open a web browser and enter the following URL: `https://MyMgmtSrv/AppvManagement/Console.html`. Import, publish, and entitle all packages and connection groups that your users will need. -3. On the computer running the App-V client, open an elevated Windows PowerShell command prompt, and run the following command: - - ```PowerShell - Add-AppvPublishingServer -Name ABC -URL https://MyPubSrv/AppvPublishing - ``` - - This command will configure the specified publishing server. You should see output similar to the following: - - ```PowerShell - Id                        : 1 - SetByGroupPolicy          : False - Name                      : ABC - URL                       : https://MyPubSrv/AppvPublishing - GlobalRefreshEnabled      : False - GlobalRefreshOnLogon      : False - GlobalRefreshInterval     : 0 - GlobalRefreshIntervalUnit : Day - UserRefreshEnabled        : True - UserRefreshOnLogon        : True - UserRefreshInterval       : 0 - UserRefreshIntervalUnit   : Day - ``` - -4. On the computer running the App-V client, open a Windows PowerShell command prompt and enter the following cmdlet: - - ```PowerShell - Sync-AppvPublishingServer -ServerId 1 - ``` - - This cmdlet will query the publishing server for which packages and connection groups need to be added or removed for this particular client based on your configured entitlements for the packages and connection groups on the management server. - - - - - -## Related article - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md deleted file mode 100644 index 50ed9fd433b..00000000000 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: How to connect to the Management Console (Windows 10/11) -description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. -author: aczechowski -ms.service: windows-client -ms.date: 06/25/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to connect to the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to connect to the App-V Management Console. - -## Connect to the App-V Management Console - -1. Open your web browser and enter the address for the App-V Management server. For example, **https://\<_management server name_\>:\<_management service port number_\>/console.html**. - -2. To view different sections of the console, select your desired section in the navigation pane. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md deleted file mode 100644 index bfad2cc36f6..00000000000 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: About the connection group file (Windows 10/11) -description: A summary of what the connection group file is and how to configure it. -author: aczechowski -ms.service: windows-client -ms.date: 06/25/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# About the connection group file - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -## Connection group file overview - -### What is a connection group? - -A connection group is an App-V feature that can group packages together to create a virtual environment where applications within that package group can interact with each other. - -For example, let's say you want to use plug-ins with Microsoft Office. You can create one package that contains the plug-ins and another package that contains Office, and then add both packages to the same connection group to enable Office to use those plug-ins. - -### How a connection group file works - -When you apply an App-V connection group file, all packages specified in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups. - -An example file path for a package file would be %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}. - -## Structure of the connection group XML file - -This section will tell you more about the components of the connection group XML file. - -### Parameters that define the connection group - -The following table describes the parameters in the XML file that define the connection group itself, not the packages. - -|Field|Description| -|-----|-----------| -|Schema name|Name of the schema.
    If you want to use the “optional packages” and “use any version” features described in this table, you must specify the following schema in the XML file:
    `xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"`| -|AppConnectionGroupId|Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.
    You can create a new GUID by entering **[Guid]::NewGuid()**.| -|VersionId|Version GUID identifier for this version of the connection group.
    When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.| -|DisplayName|Display name of the connection group.| -|Priority|Optional priority field for the connection group.
    A value of **0** indicates the highest priority.
    If a priority is required but has not been configured, the package will fail because it can't determine the correct connection group to use.| - -### Parameters that define the packages in the connection group - -In the **<Packages>** section of the connection group XML file, you list the member packages in the connection group by specifying each package’s unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence. - -|Field|Description| -|---|---| -|PackageId|Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.| -|VersionId|Unique GUID identifier for the version of the package.
    If you specify “*” for the package version, the GUID of the latest available package version is dynamically inserted.| -|IsOptional|Parameter that enables you to make a package optional within the connection group. Valid entries are:
    - “**true**”—package is optional in the connection group
    - “**false**”—package is required in the connection group| - -### App-V example connection group XML file - -The following example connection group XML file shows examples of the fields listed in the previous tables. - -```XML - - - - - - -``` - -## Configuring the priority of packages in a connection group - -Package precedence is configured using the package list order. The first package in the document has the highest precedence. Subsequent packages in the list have descending priority. - -Package precedence is the resolution for otherwise inevitable resource collisions during virtual environment initialization. For example, if two packages that are opening in the same virtual environment define the same registry DWORD value, the package with the highest precedence determines the value that is set. - -You can use the connection group file to configure each connection group by using the following methods: - -- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, select the connection group and then select **Edit**. - - > [!NOTE] - >A package only requires priority if it's associated with more than one connection group. -- Specify package precedence within the connection group. - -The priority field is required when a running virtual application initiates from a native application request, such as Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups. - -If a virtual application is opened using another virtual application, the client will use the original virtual application's virtual environment. The priority field is not used in this case. - -The following is an example of priority configuration: - -The virtual application Microsoft Outlook is running in virtual environment **XYZ**. When you open an attached Microsoft Word document, a virtualized version Microsoft Word opens in the virtual environment **XYZ**, regardless of the virtualized Microsoft Word’s associated connection groups or runtime priorities. - -## Supported virtual application connection configurations - -App-V supports the following application connection configurations. - -- **An .exe file and plug-in (.dll)**. For example, you might want to distribute Microsoft Office to all users, but only distribute a Microsoft Excel plug-in to a small subset of those users. - - Enable the connection group for the appropriate users. Update each package individually as required. - -- **An .exe file and a middleware application**. This is for cases where you have an application that requires a middleware application, or several applications that all depend on the same middleware runtime version. - - All computers that require one or more of the applications receive the connection groups with the application and middleware application runtime. You can optionally combine multiple middleware applications into a single connection group. - - |Example|Example description| - |---|---| - |Virtual application connection group for the financial division|- Middleware application 1
    - Middleware application 2
    - Middleware application 3
    - Middleware application runtime| - |Virtual application connection group for HR division|- Middleware application 5
    - Middleware application 6
    - Middleware application runtime| - -- **An. exe file and an .exe file**. This is for cases where you have an application that relies on another application, but you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines. - - For example, if you are deploying Microsoft Lync 2010, you can use three packages: - - - Microsoft Office 2010 - - Microsoft Communicator 2007 - - Microsoft Lync 2010 - - You can manage the deployment with the following connection groups: - - - Microsoft Office 2010 and Microsoft Communicator 2007 - - Microsoft Office 2010 and Microsoft Lync 2010 - - After deployment, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package or keep and maintain them as separate packages and deploy them with a connection group. - - - - - -## Related articles - -- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md deleted file mode 100644 index d84704a33ff..00000000000 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: About the connection group virtual environment (Windows 10/11) -description: Learn how the connection group virtual environment works and how package priority is determined. -author: aczechowski -ms.service: windows-client -ms.date: 06/25/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# About the connection group virtual environment - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -## How package priority is determined - -The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group won't migrate with the package. - -If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group wherein each defines the same registry DWORD value. - -The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document: - -- The first package has the highest precedence. -- The second package has the second highest precedence. - -Consider the following example section: - -```XML - - - - - -``` - -Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package. - -For this example, the DWORD value definition would be as shown below: - -- Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5 -- Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10 - -Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This result means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region. - -Other virtual environment resources are resolved in a similar way, but usually collisions occur in the registry. - -## Merging identical package paths into one virtual directory in connection groups - -If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group's virtual environment. Merging these paths allows an application in one package to access files that are in a different package. - -When you remove a package from a connection group, the removed package's applications can no longer access files from packages in the connection group it was removed from. - -App-V looks up a file’s name in the connection group in the order App-V packages are listed in the connection group manifest file. - -The following example shows the order and relationship of a file name lookup in a connection group for **Package A** and **Package B**. - -|Package A|Package B| -|---|---| -|C:\Windows\System32|C:\Windows\System32| -|C:\AppTest|C:\AppTest| - -When a virtualized application tries to find a specific file, App-V will search for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules: - -- If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file. -- If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file. - - - - - -## Related articles - -- [Managing Connection Groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md deleted file mode 100644 index e12fd39cb00..00000000000 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: How to convert a package created in a previous version of App-V (Windows 10/11) -description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to convert a package created in a previous version of App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade. - ->[!NOTE] ->If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell. - -The package converter can only directly convert packages created by an App-V sequencer version 4.5 or later. Packages created with an App-V version earlier than 4.5 must be upgraded to at least App-V 4.5 before conversion. - ->[!IMPORTANT] ->In order to keep your files secure, you must configure the package converter to always save the package ingredients file to a secure location and directory that can only be accessed by an administrator. When you deploy the package, you should either save the package to a secure location or make sure that no other users can sign in during the conversion process. - -## App-V 4.6 installation folder is redirected to virtual file system root - -When you convert packages from App-V 4.6 to App-V for Windows 10/11, the App-V for Windows client package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) - -The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. - -## Getting started - -1. Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md). - -2. You can enter the following cmdlets to check or convert packages: - - - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet won't parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet: - - ```PowerShell - Test-AppvLegacyPackage -? - ``` - - - **ConvertFrom-AppvLegacyPackage**—This cmdlet converts packages from legacy versions to updated versions. To convert an existing package, enter the following cmdlet: - - ```PowerShell - ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages - ``` - - In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you don't specify a new name, the old package name will be used. - - Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This definition of setting is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. - - > [!NOTE] - > Before you specify the output directory, you must create the output directory. - -### Advanced Conversion Tips - -- Piping—Windows PowerShell supports piping. Piping allows you to enter cmdlets like this example: - - ```PowerShell - dir C:\contentStore\myPackage | Test-AppvLegacyPackage - ``` - - In this example, the directory object that represents `myPackage` will be given as input to the **Test-AppvLegacyPackage** cmdlet and bound to the *-Source* parameter. Piping like this is especially useful when you want to batch commands together, such as in the following example cmdlet: - - ```PowerShell - dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages - ``` - - This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory that contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client. - -- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This feature allows you to enter the following cmdlets together: - - ```PowerShell - $packages = dir C:\contentStore - ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target C:\ConvertedPackages - ``` - - Alternatively, you can use piping like this: - - ```PowerShell - dir C:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages - ``` - -- Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter. - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md deleted file mode 100644 index e602397d30f..00000000000 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: How to create a connection croup with user-published and globally published packages (Windows 10/11) -description: How to create a connection croup with user-published and globally published packages. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to create a connection croup with user-published and globally published packages - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods: - -- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups) -- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups) - -## Unsupported scenarios and potential issues - -Here are some important things to know before you get started: - -- If you add user-published packages in globally entitled connection groups, the connection group will fail. -- Track the connection groups where you've used a non-optional package before removing it with the **Unpublish-AppvClientPackage <package> -global** cmdlet. - - In situations where you have a globally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages. - -## How to use Windows PowerShell cmdlets to create user-entitled connection groups - -1. Add and publish packages by using the following commands: - - ```PowerShell - Add-AppvClientPackage - Add-AppvClientPackage - Publish-AppvClientPackage -PackageId  -VersionId -Global - Publish-AppvClientPackage -PackageId -VersionId  - ``` - -2. Create the connection group XML file. For more information, see [About the connection group file](appv-connection-group-file.md). - -3. Add and publish the connection group by using the following commands: - - ```PowerShell - Add-AppvClientConnectionGroup - Enable-AppvClientConnectionGroup -GroupId  -VersionId - ``` - -## How to use the App-V Server to create user-entitled connection groups - -1. Open the App-V Management Console. - -2. Follow the instructions in [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md) to publish packages globally and to the user. - -3. Follow the instructions in [How to create a connection group](appv-create-a-connection-group.md) to create the connection group and add the user-published and globally published packages. - - - - - -## Related articles - -- [Managing Connection Groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md deleted file mode 100644 index a78ae6f6cde..00000000000 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: How to create a connection group (Windows 10/11) -description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to create a connection group - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). - -When you place packages in a connection group, their package root paths merge. If you remove packages, only the remaining packages maintain the merged root. - -## Create a connection group - -1. In the App-V Management Console, select **CONNECTION GROUPS** to display the Connection Groups library. - -2. Select **ADD CONNECTION GROUP** to create a new connection group. - -3. In the **New Connection Group** pane, enter a description for the group. - -4. Select **EDIT** in the **CONNECTED PACKAGES** pane to add a new application to the connection group. - -5. In the **PACKAGES Entire Library** pane, select the application to be added, then select the arrow to add the application. - - To remove an application, select the application to be removed in the **PACKAGES IN** pane and select the arrow. - - To reprioritize the applications in your connection group, use the arrows in the **PACKAGES IN** pane. - - >[!IMPORTANT] - >By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane. - -6. After adding all the applications and configuring Active Directory access, select **Apply**. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) -- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md deleted file mode 100644 index ead8b2f6624..00000000000 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11) -description: How to create a custom configuration file by using the App-V Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to create a custom configuration file by using the App-V Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see [About App-V dynamic configuration](appv-dynamic-configuration.md). - -You can create a dynamic user configuration file with the App-V Management Console by following the steps in this article. - -## Create a dynamic user configuration file - -1. Right-click the name of the package that you want to view and select **Edit active directory access** to view the configuration that is assigned to a given user group. Alternatively, select the package, and click **Edit**. - -2. Using the list of **AD Entities with Access**, select the AD group that you want to customize. Select **Custom** from the drop-down list. A link named **Edit** will appear. - -3. Select **Edit**. The Dynamic User Configuration assigned to the AD Group will appear. - -4. Select **Advanced**, and then select **Export Configuration**. Enter a file name and select **Save**. Now you can edit the file to configure a package for a user. - - > [!NOTE] - > If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enalbed and set to block downloads, you won't be able to download anything from the App-V Server. - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md deleted file mode 100644 index cbe79ac2df5..00000000000 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) -description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to create a package accelerator by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. - -## Create a package accelerator - -1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). -2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure there's the App-V package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. -4. Enter the **New-AppvPackageAccelerator** cmdlet. - - The following parameters are required to use the package accelerator cmdlet: - - - *InstalledFilesPath* specifies the application installation path. - - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the App-V package. - - *Path* specifies the output directory for the package. - - The following example cmdlet shows how you can create a package accelerator with the App-V package and the installation media: - - ```PowerShell - New-AppvPackageAccelerator -InputPackagePath -Installer -Path - ``` - - You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: - - - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. - - - - - -## Related articles - -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md deleted file mode 100644 index e1500e38076..00000000000 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: How to create a package accelerator (Windows 10/11) -description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to create a package accelerator - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -App-V Package Accelerators automatically generate new virtual application packages. - ->[!NOTE] ->You can use Windows PowerShell to create a package accelerator. For more information, see [How to create a package accelerator by using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md). - -Use the following procedure to create a package accelerator. - ->[!IMPORTANT] -> ->- Because package accelerators can contain password and user-specific information, you should save package accelerators and the associated installation media in a secure location, and you should also digitally sign the package accelerator after creating it so that you can verify the publisher when applying the App-V Package Accelerator. ->- Before you begin creating a package accelerator, do the following: -> - Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer. -> - Copy all required installation files associated with the virtual application package to the computer running the sequencer. ->- The App-V Sequencer does not grant any license rights to the software application you are using to create the package accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a package accelerator with the App-V sequencer. - -## Create a package accelerator - -1. To start the App-V sequencer on the computer running the sequencer, select **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. - -2. To start the App-V **Create Package Accelerator** wizard, in the App-V sequencer console, select **Tools** > **Create Accelerator**. - -3. On the **Select Package** page, select **Browse** to specify an existing virtual application package to use to create the package accelerator, then locate the existing virtual application package (it will appear as an .appv file). - - >[!TIP] - >Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer. - - Select **Next**. - -4. Go to the **Installation Files** page and select **Browse**, then select the directory that contains the installation files to specify the folder containing the original virtual package's installation files. - - >[!TIP] - >Copy the folder that contains the required installation files to the computer running the Sequencer. - -5. If the application is already installed on the computer running the sequencer, then select **Files installed on local system** to specify the installation file. To use this option, the application must already be installed in the default installation location. - -6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed aren't required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page. - - > [!NOTE] - >You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard. - -7. On the **Select Files** page, carefully review the detected files. Clear any file the package accelerator doesn't need to run successfully and select only the files that the application requires. When you're done, select **Next**. - -8. Confirm that the **Verify Applications** page displays all installation files required to build the package. The package accelerator requires all installation files displayed in the **Applications** pane in order to create the package. - - If you need to add more Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you've confirmed the information displayed, select **Next**. - -9. On the **Select Guidance** page, select **Browse** to specify the file that will provide the package accelerator with application instructions. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for successful package accelerator application. The file you select must be in rich text (.rtf) or text file (.txt) format. After specifying the file, select **Next**. - -10. On the **Create Package Accelerator** page, select **Browse** and select the directory where you want to save the package accelerator. - -11. On the **Completion** page, select **Close**. - - >[!IMPORTANT] - >You should always digitally sign the package accelerator to ensure that it is secure and can be verified by a publisher during application. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) -- [How to create a virtual application package using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md) diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md deleted file mode 100644 index 2ee8100f3ea..00000000000 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11) -description: How to create a virtual application package using an App-V Package Accelerator. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to create a virtual application package using an App-V Package Accelerator - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to create a virtual application package with the App-V Package Accelerator. - ->[!IMPORTANT] ->The App-V Sequencer does not grant any license rights to the software application that you use to create the package accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a package accelerator with the App-V Sequencer. - -## Create a virtual application package with an App-V Package Accelerator - -1. Make sure you've copied the required package accelerator locally to the computer running the App-V Sequencer. Also make sure to copy all required installation files for the package to a local folder on the computer running the Sequencer. This is the folder that you have to specify in step 6 of this procedure. - -2. To start the App-V Sequencer on the computer that runs the Sequencer, go to **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. - -3. Select **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, then select **Next**. - -4. To specify the package accelerator that will be used to create the new virtual application package, select **Browse** on the **Select Package Accelerator** page. Select **Next**. - - >[!IMPORTANT] - >If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you select **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box. - -5. On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the package accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, select **Export** and specify the location where the file should be saved, and then select **Next**. - -6. On the **Select Installation Files** page, select **Make New Folder** to create a local folder that contains all required installation files for the package, and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer that runs the Sequencer, select **Browse** to select the folder. - - Alternatively, if you have already copied the installation files to a directory on this computer, select **Make New Folder**, browse to the folder that contains the installation files, then select **Next**. - - > [!NOTE] - >You can specify the following types of supported installation files: - > - Windows Installer files (**.msi**) - > - Cabinet files (.cab) - > - Compressed files with a .zip file name extension - > - The actual application files - > The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually. - -7. If the package accelerator requires you to install an application before you apply the package accelerator and you have already installed the required application, select **I have installed all applications**, then select **Next** on the **Local Installation** page. - -8. On the **Package Name** page, specify a name that will be associated with the package. The name you choose will identify the package in the App-V Management Console. Select **Next**. - -9. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network or the package size exceeds 4 GB. - -10. To create the package, select **Create**. After the package is created, select **Next**. - -11. On the **Configure Software** page, to enable the Sequencer to configure the applications contained within the package, select **Configure Software**. **Configure Software** will let you configure any associated tasks required to run the application on the target computers. For example, you can configure any associated license agreements. - - The following items can be configured using the Sequencer as part of this step: - - - **Load Package** loads files associated with the package. It can take several seconds to an hour to decode the package. - - **Run Each Program** optionally runs programs contained within the package. This step can help you complete associated license or configuration tasks that must be completed before deploying and running the package on target computers. To run all the programs at once, select at least one program, and then select **Run All**. To run specific programs, select the program or programs that you want to run, and then select **Run Selected**. Complete the required configuration tasks, then close the applications. It can take several minutes for all programs to run. Select **Next**. - - **Save Package** saves the package. - - **Primary Feature Block** optimizes the package for streaming by rebuilding the primary feature block. - - If you don't want to configure the applications, select **Skip this step**, then select **Next**. - -12. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, select **Close**. - - The package is now available in the Sequencer. To edit the package properties, select **Edit \[Package Name\]**. For more information about how to modify a package, see [How to modify an existing virtual application package](appv-modify-an-existing-virtual-application-package.md). - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md deleted file mode 100644 index a37682809cf..00000000000 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11) -description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Create and apply an App-V project template to a sequenced App-V package - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). - ->[!IMPORTANT] ->Starting with Windows 10 version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. - -## Create a project template - -You must first create and save a project template, including a virtual app package with settings to be used by the template. - -1. On the device running the App-V Sequencer, select **Start**, select **All Programs**, select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. - - > [!NOTE] - >If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure. - -2. On the **File** menu, select **Open**, select **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V Project Template, and then select **Edit** to change any of the settings or info included in the file. - -3. On the **File** menu, select **Save As Template**, review the settings associated with the new template, select **OK**, name your new template, and then select **Save**. - - The new App-V Project Template is saved in the folder you specified. - -## Apply a project template - -After creating the template, you can apply it to all of your new virtual app packages, automatically including all of the settings. - ->[!IMPORTANT] ->Virtual app packages don't support using both a project template and a package accelerator at the same time. - -1. On the device running the App-V Sequencer, select **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. - -2. On the **File** menu, select **New From Template**, browse to your newly created project template and select **Open**. - -3. Create your new virtual app package. The settings saved with your template are automatically applied. - -### Related articles - -- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -- [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) -- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md deleted file mode 100644 index ef0e7deee18..00000000000 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: Creating and managing App-V virtualized applications (Windows 10/11) -description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# Creating and managing App-V virtualized applications - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -After you've properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. - -For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). - ->[!NOTE] ->The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. - -## Sequencing an application - -You can use the App-V Sequencer to perform the following tasks: - -- Create virtual packages that can be deployed to computers running the App-V client. -- Upgrade existing packages. You can expand an existing package onto the computer running the sequencer and then upgrade the application to create a newer version. -- Edit configuration information associated with an existing package. For example, you can add a shortcut or modify a file type association. - - > [!NOTE] - >You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V client. - -- Convert existing virtual packages. - -The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing. - -When you use the sequencer to create a new virtual application, the following listed files are created. These files comprise the App-V package. - -- **.msi file**. This Windows Installer (.msi) file is created by the sequencer and is used to install the virtual package on target computers. -- **Report.xml file**. In this file, the sequencer saves all issues, warnings, and errors that were discovered during sequencing. It displays the information after the package has been created. You can us this report for diagnosing and troubleshooting. -- **.appv file**. This file is the virtual application file. -- **Deployment configuration file**. The deployment configuration file determines how the virtual application will be deployed to target computers. -- **User configuration file**. The user configuration file determines how the virtual application will run on target computers. - ->[!IMPORTANT] ->You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package, you should either save the package to a secure location or make sure that no other user is allowed to log in during the conversion and monitoring process. - -The **Options** dialog box in the sequencer console contains the following tabs: - -- **General**. Use this tab to enable Microsoft Updates to run during sequencing. Select **Append Package Version to Filename** to configure the sequence to add a version number to the virtualized package that is being sequenced. Select **Always trust the source of Package Accelerators** to create virtualized packages using a package accelerator without being prompted for authorization. - - >[!IMPORTANT] - >Package Accelerators created using App-V 4.6 are not supported by App-V. - -- **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**. -- **Exclusion Items**. Use this tab to specify which folders and directories shouldn't be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages. - -App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the service will be included in the sequenced virtual package as long as it's installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then after installation, the application must be run while the sequencer is monitoring for the Windows Service to be included in the package. Only services running under the Local System account are supported. Services configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call. - -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) -- [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - -## App-V shell extension support - -App-V supports shell extensions. Shell extensions will be detected and embedded in the package during sequencing. - -Shell extensions are automatically embedded in the package during the sequencing process. When the package is published, the shell extension gives users the same functionality as if the application were locally installed. - -### Requirements for using shell extensions - -- Packages that contain embedded shell extensions must be published globally. The application requires no extra setup or configuration on the client to enable the shell extension functionality. -- The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example: - - The version of the application is 64-bit. - - The Sequencer is running on a 64-bit computer. - - The package is being delivered to a 64-bit App-V client computer. - -The following table lists the supported shell extensions: - -|Handler|Description| -|---|---| -|Context menu handler|Adds menu items to the context menu. It's called before the context menu is displayed.| -|Drag-and-drop handler|Controls the action where right-click, drag and drop, and modifies the context menu that appears.| -|Drop target handler|Controls the action after a data object is dragged and dropped over a drop target such as a file.| -|Data object handler|Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide more clipboard formats to the drop target.| -|Property sheet handler|Replaces or adds pages to the property sheet dialog box of an object.| -|Infotip handler|Allows retrieving flags and infotip information for an item and displaying it inside a pop-up tooltip upon mouse hover.| -|Column handler|Allows creating and displaying custom columns in **Windows Explorer Details view**. It can be used to extend sorting and grouping.| -|Preview handler|Enables a preview of a file to be displayed in the Windows Explorer Preview pane.| - -## Copy on Write (CoW) file extension support - -Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it's being used. - -The following list shows the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which can't be updated on the computer running the App-V client. All other files and directories can be modified. - -- .com -- .exe -- .dll -- .ocx - -## Modifying an existing virtual application package - -You can use the sequencer to modify an existing package. The computer on which you do this modification should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system. - -For more information, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md). - -## Creating a project template - -An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you can't use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: - -A template can specify and store multiple settings as follows: - -- **Advanced Monitoring Options**. Enables Microsoft Update to run during monitoring. Saves allow local interaction option settings -- **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**. -- **Exclusion Items.** Contains the Exclusion pattern list. - -Starting with Windows 10 version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. - ->[!IMPORTANT] ->If you attempt to load another template through the *_TemplateFilePath_* parameter while already having an auto-saved template, the customization value from the parameter will override the auto-saved template. - -For more information, see [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md). - -## Creating a package accelerator - ->[!NOTE] ->Package accelerators created using a previous version of App-V must be recreated using App-V. - -You can use App-V package accelerators to automatically generate a new virtual application package. After you've successfully created a package accelerator, you can reuse and share the package accelerator. - -In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator. - -After you've successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied. - -For more information, see the following articles: - -- [How to Create a Package Accelerator](appv-create-a-package-accelerator.md) -- [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md) - -## Sequencer error reporting - -The App-V Sequencer can detect common sequencing issues during sequencing. The **Installation Report** page at the end of the sequencing wizard displays diagnostic messages categorized into **Errors**, **Warnings**, and **Info** depending on the severity of the issue. - -You can also find additional information about sequencing errors using the Windows Event Viewer. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md deleted file mode 100644 index bbb9594d7c6..00000000000 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11) -description: How to customize virtual application extensions for a specific AD group by using the Management Console. -author: aczechowski -ms.service: windows-client -ms.date: 07/10/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to customize virtual applications extensions for a specific AD group by using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group. - -## Customize virtual applications extensions for an AD group - -1. To view the package that you want to configure, open the App-V Management Console. To view the configuration assigned to a given user group, select the package, then right-click the package name and select **Edit active directory access**. Alternatively, select the package and select **EDIT** in the **AD ACCESS** pane. - -2. To customize an AD group, you can find the group from the list of **AD Entities with Access**. Then, using the drop-down box in the **Assigned Configuration** pane, select **Custom**, and then select **EDIT**. - -3. To disable all extensions for a given application, clear **ENABLE**. - - To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane, and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane and select **Remove Shortcut**. To edit an existing shortcut, right-click the application and select **Edit Shortcut**. - -4. To view any other application extensions, select **Advanced**, and select **Export Configuration**. Enter a filename and select **Save**. You can view all application extensions that are associated with the package using the configuration file. - -5. To edit additional application extensions, modify the configuration file and select **Import and Overwrite this Configuration**. Select the modified file and select **Open**. In the dialog, select **Overwrite** to complete the process. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md deleted file mode 100644 index 88af78ee9ff..00000000000 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: How to delete a connection group (Windows 10/11) -description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to delete a connection group - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to delete an existing App-V connection group. - -## Delete a connection group - -1. Open the App-V Management Console and select **CONNECTION GROUPS**. - -2. Right-click the connection group to be removed and select **delete**. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) -- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md deleted file mode 100644 index 2bd65704c0a..00000000000 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: How to delete a package in the Management Console (Windows 10/11) -description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to delete a package in the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to delete an App-V package. - -## Delete a package in the Management Console - -1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed. - -2. Select or right-click the package, then select **Delete** to remove the package. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md deleted file mode 100644 index af21f7aff47..00000000000 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11) -description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to deploy the App-V databases by using SQL scripts - ->Applies to: Windows Server 2016 - -Use the following instructions to use SQL scripts, rather than the Windows Installer, to: - -* Install the App-V databases -* Upgrade the App-V databases to a later version - ->[!NOTE] ->If you have already deployed an App-V 5.0 SP3 database or later, the SQL scripts are not required to upgrade to App-V for Windows. - -## How to install the App-V databases by using SQL scripts - -1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software. - -2. Copy **appv\_server\_setup.exe** from the App-V release media to a temporary location. - -3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts. - - ```sql - appv\_server\_setup.exe /layout c:\\__ - ``` - -4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate **readme.txt** file for instructions: - - | Database | Location of readme.txt file to use| - |---|---| - | Management database | ManagementDatabase subfolder | - | Reporting database | ReportingDatabase subfolder | - ->[!CAUTION] ->The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders. - ->[!IMPORTANT] -> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. - -### Updated management database README file content - -```syntax -*********************************************************************************************************** -Before you install and use the Application Virtualization Database Scripts, you must: - -- Review the license terms. -- Print and retain a copy of the license terms for your records. - -By running the App-V you agree to such license terms. If you do not accept them, do not use the software. -*********************************************************************************************************** - -Steps to install "AppVManagement" schema in SQL SERVER. - -## PREREQUISITES: - - 1. Review the installation package. The following files MUST exist: - - SQL files - --------- - Database.sql - CreateTables.sql - CreateStoredProcs.sql - UpdateTables.sql - Permissions.sql - - 2. Ensure the target SQL Server instance and SQL Server Agent service are running. - - 3. If you are not running the scripts directly on the server, ensure the - necessary SQL Server client software is installed and available from - the specified location. Specifically, the "osql" command must be supported for these scripts to run. - -## PREPARATION: - - 1. Review the database.sql file and modify as necessary. Although the - defaults are likely sufficient, it is suggested that the following - settings be reviewed: - - DATABASE - ensure name is satisfactory - default is "AppVManagement". - - 2. Review the Permissions.sql file and provide all the necessary account information - for setting up read and write access on the database. Note: Default settings in the file will not work. - -## INSTALLATION: - - 1. Run the database.sql against the "master" database. Your user - credential must have the ability to create databases. - This script will create the database. - - 2. Run the following scripts against the "AppVManagement" database using the - same account as above in order. - - CreateTables.sql - CreateStoredProcs.sql - UpdateTables.sql - Permissions.sql - -``` - -### Updated reporting database README file content - -```syntax -*********************************************************************************************************** -Before you install and use the Application Virtualization Database Scripts, you must: - -- Review the license terms. -- Print and retain a copy of the license terms for your records. - -By running the App-V you agree to such license terms. If you do not accept them, do not use the software. -*********************************************************************************************************** - -Steps to install "AppVReporting" schema in SQL SERVER. - -## PREREQUISITES: - - 1. Review the installation package. The following files MUST exist: - - SQL files - --------- - Database.sql - UpgradeDatabase.sql - CreateTables.sql - CreateReportingStoredProcs.sql - CreateStoredProcs.sql - CreateViews.sql - Permissions.sql - ScheduleReportingJob.sql - - 2. Ensure the target SQL Server instance and SQL Server Agent service are running. - - 3. If you are not running the scripts directly on the server, ensure the - necessary SQL Server client software is installed and executable from - the location you have chosen. Specifically, the "osql" command must be supported for these scripts to run. - -## PREPARATION: - - 1. Review the database.sql file and modify as necessary. Although the - defaults are likely sufficient, it is suggested that the following - settings be reviewed: - - DATABASE - ensure name is satisfactory - default is "AppVReporting". - - 2. Review the Permissions.sql file and provide all the necessary account information - for setting up read and write access on the database. Note: Default settings - in the file will not work. - - 3. Review the ScheduleReportingJob.sql file and make sure that the stored proc schedule - time is acceptable. The default stored proc schedule time is at 12.01 AM (line 84). - If this time is not suitable, you can change this to a more suitable time. The time is in the format HHMMSS. - -## INSTALLATION: - - 1. Run the database.sql against the "master" database. Your user - credential must have the ability to create databases. - This script will create the database. - - 2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema. - - 2. Run the following scripts against the "AppVReporting" database using the - same account as above in order. - - CreateTables.sql - CreateReportingStoredProcs.sql - CreateStoredProcs.sql - CreateViews.sql - Permissions.sql - ScheduleReportingJob.sql -``` - - - - - -## Related articles - -* [Deploying the App-V Server](appv-deploying-the-appv-server.md) -* [How to deploy the App-V Server](appv-deploy-the-appv-server.md) diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md deleted file mode 100644 index a0856627909..00000000000 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How to deploy App-V packages using electronic software distribution (Windows 10/11) -description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to deploy App-V packages using electronic software distribution - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. - -For component requirements and options for using an ESD to deploy App-V packages, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). - -Use one of the following methods to publish packages to App-V client computers with an ESD: - -- Use the functionality in a third-party ESD. -- Install the application on the target client computer with the associated Windows Installer (.msi) file that's created when you initially sequence the application. The .msi file contains the associated App-V package file information used to configure a package and copies the required package files to the client. -- Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). - -| Method | Description | -|---|---| -| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.| -| Stand-alone Windows Installer | Install the application on the target client computer by using the associated Windows Installer (.msi) file that is created when you initially sequence an application. The Windows Installer file contains the associated App-V package file information used to configure a package and copies the required package files to the client. | -| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).| - -## Deploy App-V packages with an ESD - -1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md). - -2. Use the App-V Sequencer to create a virtual application. To learn more about creating virtual applications, see [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md). - -3. After you create the virtual application, deploy the package by using your ESD solution. - - - - - -## Related articles - -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md deleted file mode 100644 index d0e531b2343..00000000000 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ /dev/null @@ -1,526 +0,0 @@ ---- -title: How to Deploy the App-V Server Using a Script (Windows 10/11) -description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to deploy the App-V server using a script - ->Applies to: Windows Server 2016 - -In order to complete the **appv_server_setup.exe** server setup successfully using the command line, you must specify and combine multiple parameters. - -## To install the App-V server using a script - -Use the following lists and tables for more information about installing the App-V server using the command line. - -The information in the following lists and tables can also be accessed through the command line by entering the following command: ```appv\_server\_setup.exe /?```. - -## How to use common parameters to install the Management server and Management database on a local machine - -The following examples will show you how to install the Management server and database on a local machine. - -### Parameters for a default instance of Microsoft SQL Server for a new installation on a local machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* -* */MANAGEMENT_DB_NAME* - -### Parameters for a custom instance of Microsoft SQL Server for a new installation on a local machine - -To use a custom instance of Microsoft SQL Server, use the following parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* -* */MANAGEMENT_DB_NAME* - -### Example parameters for using a custom instance of Microsoft SQL Server for a new installation on a local machine - -```SQL -/appv_server_setup.exe /QUIET -/MANAGEMENT_SERVER -/MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" -/MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" -/MANAGEMENT_WEBSITE_PORT="8080" -/DB_PREDEPLOY_MANAGEMENT -/MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/MANAGEMENT_DB_NAME="AppVManagement" -``` - -## How to use common parameters to install the Management server using an existing Management database on a local machine - -The following examples will show you how to install the Management server on a local machine with an existing Management database. - -### Default instance of Microsoft SQL Server for installation with an existing Management database on a local machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL* -* */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* -* */EXISTING_MANAGEMENT_DB_NAME* - -### Custom instance of Microsoft SQL Server for installation with an existing Management database on a local machine - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL* -* */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* -* */EXISTING_MANAGEMENT_DB_NAME* - -### Example parameters for using a custom instance of Microsoft SQL Server for installation with an existing Management database on a local machine - -```SQL -/appv_server_setup.exe /QUIET -/MANAGEMENT_SERVER -/MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" -/MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" -/MANAGEMENT_WEBSITE_PORT="8080" -/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL -/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" -/EXISTING_MANAGEMENT_DB_NAME ="AppVManagement" -``` - -## How to install the Management server with an existing Management database on a remote machine - -### Default instance of Microsoft SQL Server with an existing Management database on a remote machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME* -* */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* -* */EXISTING_MANAGEMENT_DB_NAME* - -### Custom instance of Microsoft SQL Server with an existing Management database on a remote machine - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */MANAGEMENT_SERVER* -* */MANAGEMENT_ADMINACCOUNT* -* */MANAGEMENT_WEBSITE_NAME* -* */MANAGEMENT_WEBSITE_PORT* -* */EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME* -* */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* -* */EXISTING_MANAGEMENT_DB_NAME* - -### Example for using a custom instance of Microsoft SQL Server with an existing Management database on a remote machine - -```SQL -/appv_server_setup.exe /QUIET -/MANAGEMENT_SERVER -/MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" -/MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" -/MANAGEMENT_WEBSITE_PORT="8080" -/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME="SqlServermachine.domainName" -/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" -/EXISTING_MANAGEMENT_DB_NAME ="AppVManagement" -``` - -## Installing the Management database and the Management Server on the same computer - -The following examples will show you how to install the Management server and database on the same computer. - -### Default instance of Microsoft SQL Server for installation on the same computer - -To use the default instance of Microsoft SQL Server, use these parameters: - -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* -* */MANAGEMENT_DB_NAME* -* */MANAGEMENT_SERVER_MACHINE_USE_LOCAL* -* */MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Custom instance of Microsoft SQL Server for installation on the same computer - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* -* */MANAGEMENT_DB_NAME* -* */MANAGEMENT_SERVER_MACHINE_USE_LOCAL* -* */MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Example for using a custom instance of Microsoft SQL Server for installation on the same computer - -```SQL -/appv_server_setup.exe /QUIET -/DB_PREDEPLOY_MANAGEMENT -/MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/MANAGEMENT_DB_NAME="AppVManagement" -/MANAGEMENT_SERVER_MACHINE_USE_LOCAL -/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" -``` - -## Installing the Management database on a different computer than the Management server - -The following examples will show you how to install the Management database and server on different computers. - -### Default instance of Microsoft SQL Server for installing the Management database on a different computer than the Management server - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* -* */MANAGEMENT_DB_NAME* -* */MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT* -* */MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Custom instance of Microsoft SQL Server for installing the Management database on a different computer than the Management server - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */DB_PREDEPLOY_MANAGEMENT* -* */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* -* */MANAGEMENT_DB_NAME* -* */MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT* -* */MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Example for using a custom instance of Microsoft SQL Server for installing the Management database on a different computer than the Management server - -```SQL -/appv_server_setup.exe /QUIET -/DB_PREDEPLOY_MANAGEMENT -/MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/MANAGEMENT_DB_NAME="AppVManagement" -/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" -/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" -``` - -## Installing the Publishing server - -The following examples will show you how to install the Publishing server. - -### Default instance of Microsoft SQL Server for installing the Publishing server - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */PUBLISHING_SERVER* -* */PUBLISHING_MGT_SERVER* -* */PUBLISHING_WEBSITE_NAME* -* */PUBLISHING_WEBSITE_PORT* - -### Example for installing the Publishing server - -```SQL -/appv_server_setup.exe /QUIET -/PUBLISHING_SERVER -/PUBLISHING_MGT_SERVER="http://ManagementServerName:ManagementPort" -/PUBLISHING_WEBSITE_NAME="Microsoft AppV Publishing Service" -/PUBLISHING_WEBSITE_PORT="8081" -``` - -## Installing the Reporting server and Reporting database on a local machine - -The following examples will show you how to install the Reporting server and database on a local machine. - -### Default instance of Microsoft SQL Server for installing the Reporting server and Reporting database on a local machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */REPORTING_SERVER* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_SQLINSTANCE_USE_DEFAULT* -* */REPORTING_DB_NAME* - -### Custom instance of Microsoft SQL Server for installing the Reporting server and Reporting database on a local machine - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */REPORTING_SERVER* -* */REPORTING_ADMINACCOUNT* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_CUSTOM_SQLINSTANCE* -* */REPORTING_DB_NAME* - -### Example for using a custom instance of Microsoft SQL Server for installing the Reporting server and Reporting database on a local machine - -```SQL -/appv_server_setup.exe /QUIET -/REPORTING_SERVER -/REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" -/REPORTING_WEBSITE_PORT="8082" -/DB_PREDEPLOY_REPORTING -/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/REPORTING_DB_NAME="AppVReporting" -``` - -## Installing the Reporting server using an existing Reporting database on a local machine - -The following examples will show you how to install the reporting machine on a local machine with an existing Reporting database. - -### Default instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a local machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */REPORTING_SERVER* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL* -* */EXISTING_REPORTING_DB_SQLINSTANCE_USE_DEFAULT* -* */EXISTING_REPORTING_DB_NAME* - -### Custom instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a local machine - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */REPORTING_SERVER* -* */REPORTING_ADMINACCOUNT* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL* -* */EXISTING_REPORTING_DB_CUSTOM_SQLINSTANCE* -* */EXISTING_REPORTING_DB_NAME* - -### Example for using a custom instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a local machine - -```SQL -/appv_server_setup.exe /QUIET -/REPORTING_SERVER -/REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" -/REPORTING_WEBSITE_PORT="8082" -/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL -/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/EXITING_REPORTING_DB_NAME="AppVReporting" -``` - -## Installing the Reporting server using an existing Reporting database on a remote machine - -The following examples will show you how to install the Reporting server and on a remote machine with an existing database. - -### Default instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a remote machine - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */REPORTING_SERVER* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME* -* */EXISTING_REPORTING_DB_SQLINSTANCE_USE_DEFAULT* -* */EXISTING_REPORTING_DB_NAME* - -### Custom instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a remote machine - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */REPORTING_SERVER* -* */REPORTING_ADMINACCOUNT* -* */REPORTING_WEBSITE_NAME* -* */REPORTING_WEBSITE_PORT* -* */EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME* -* */EXISTING_REPORTING_DB_CUSTOM_SQLINSTANCE* -* */EXISTING_REPORTING_DB_NAME* - -### Example using a custom instance of Microsoft SQL Server for installing the Reporting server using an existing Reporting database on a remote machine - -```SQL -/appv_server_setup.exe /QUIET -/REPORTING_SERVER -/REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" -/REPORTING_WEBSITE_PORT="8082" -/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME="SqlServerMachine.DomainName" -/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/EXITING_REPORTING_DB_NAME="AppVReporting" -``` - -## Installing the Reporting database on the same computer as the Reporting server - -The following examples will show you how to install the Reporting database and server on the same computer. - -### Default instance of Microsoft SQL Server for installing the Reporting database on the same computer as the Reporting server - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_SQLINSTANCE_USE_DEFAULT* -* */REPORTING_DB_NAME* -* */REPORTING_SERVER_MACHINE_USE_LOCAL* -* */REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Custom instance of Microsoft SQL Server for installing the Reporting database on the same computer as the Reporting server - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_CUSTOM_SQLINSTANCE* -* */REPORTING_DB_NAME* -* */REPORTING_SERVER_MACHINE_USE_LOCAL* -* */REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Example for using a custom instance of Microsoft SQL Server for installing the Reporting database on the same computer as the Reporting server - -```SQL -/appv_server_setup.exe /QUIET -/DB_PREDEPLOY_REPORTING -/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/REPORTING_DB_NAME="AppVReporting" -/REPORTING_SERVER_MACHINE_USE_LOCAL -/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" -``` - -## Installing the Reporting database on a different computer than the Reporting server - -The following examples will show you how to install the Reporting database and server on different computers. - -### Default instance of Microsoft SQL Server for installing the Reporting database on a different computer than the Reporting server - -To use the default instance of Microsoft SQL Server, use the following parameters: - -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_SQLINSTANCE_USE_DEFAULT* -* */REPORTING_DB_NAME* -* */REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT* -* */REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Custom instance of Microsoft SQL Server for installing the Reporting database on a different computer than the Reporting server - -To use a custom instance of Microsoft SQL Server, use these parameters: - -* */DB_PREDEPLOY_REPORTING* -* */REPORTING_DB_CUSTOM_SQLINSTANCE* -* */REPORTING_DB_NAME* -* */REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT* -* */REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT* - -### Example for using a custom instance of Microsoft SQL Server for installing the Reporting database on a different computer than the Reporting server - -```SQL -/appv_server_setup.exe /QUIET -/DB_PREDEPLOY_REPORTING -/REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" -/REPORTING_DB_NAME="AppVReporting" -/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" -/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount" -``` - -## Parameter definitions - -* [General parameters](#parameter-definitions-for-general-parameters) -* [Management Server installation parameters](#parameter-definitions-for-management-server-installation-parameters) -* [Management Server Database parameters](#parameter-definitions-for-the-management-server-database) -* [Publishing Server installation parameters](#parameter-definitions-for-publishing-server-installation-parameters) -* [Reporting Server parameters](#parameter-definitions-for-reporting-server) -* [Parameters for using an existing Reporting Server database](#parameters-for-using-an-existing-reporting-server-database) -* [Reporting Server database installation parameters](#parameter-definitions-for-reporting-server-database-installation) -* [Parameters for using an existing Management Server database](#parameters-for-using-an-existing-management-server-database) - -### Parameter definitions for general parameters - -| Parameter | Description | -|-----------|-------------| -| */QUIET* | Specifies silent install. | -| */UNINSTALL* | Specifies an uninstall. | -| */LAYOUT* | Specifies layout action. This extracts the MSIs and script files to a folder without installing the actual product. No value is expected. | -| */LAYOUTDIR* | Specifies the layout directory with a string. For example, ```/LAYOUTDIR="C:\Application Virtualization Server"```. | -| */INSTALLDIR* | Specifies the installation directory with a string. For example, ```/INSTALLDIR="C:\Program Files\Application Virtualization\Server"```. | -| */MUOPTIN* | Enables Microsoft Update. No value is expected. | -| */ACCEPTEULA* | Accepts the license agreement. This is required for an unattended installation. For example, ```/ACCEPTEULA``` or ```/ACCEPTEULA=1```. | - -### Parameter definitions for Management Server installation parameters - -| Parameter | Description | -|-----------|-------------| -| */MANAGEMENT_SERVER* | Specifies that the management server will be installed. No value is expected. | -| */MANAGEMENT_ADMINACCOUNT* | Specifies the account that will be allowed administrator access to the management server. This account can be an individual user account or a group. For example, ```/MANAGEMENT_ADMINACCOUNT="mydomain\admin"```. If **/MANAGEMENT_SERVER** isn't specified, this parameter will be ignored.| -| */MANAGEMENT_WEBSITE_NAME* | Specifies name of the website that will be created for the management service. For example, ```/MANAGEMENT_WEBSITE_NAME="Microsoft App-V Management Service"``` | -| */MANAGEMENT_WEBSITE_PORT* | Specifies the port number that will be used by the management service will use. For example, ```/MANAGEMENT_WEBSITE_PORT=82```. | - -### Parameter definitions for the Management Server Database - -| Parameter | Description | -|-----------|-------------| -| */DB\_PREDEPLOY\_MANAGEMENT* | Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected. | -| */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* | Indicates that the default SQL instance should be used. No value is expected. | -| */MANAGEMENT_DB_CUSTOM_SQLINSTANCE* | Specifies the name of the custom SQL instance that should be used to create a new database. For example, ```/MANAGEMENT_DB_CUSTOM_SQLINSTANCE="MYSQLSERVER"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this parameter will be ignored. | -| */MANAGEMENT_DB_NAME* | Specifies the name of the new management database that should be created. For example, ```/MANAGEMENT_DB_NAME="AppVMgmtDB"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this will be ignored. | -| */MANAGEMENT_SERVER_MACHINE_USE_LOCAL* | Indicates if the management server that will be accessing the database is installed on the local server. This is a switch parameter, so no value is expected. | -| */MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT* | Specifies the machine account of the remote machine that the management server will be installed on. For example, ```/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="domain\computername"```. | -| */MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT* | Indicates the Administrator account that will be used to install the management server. For example, ```/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT ="domain\alias"```. | - -### Parameter definitions for Publishing Server installation parameters - -| Parameter | Description | -|-----------|-------------| -| */PUBLISHING_SERVER* | Specifies that the publishing server will be installed. No value is expected. | -| */PUBLISHING_MGT_SERVER* | Specifies the URL to Management Service the Publishing server will connect to. For example, ```http://;```. If **/PUBLISHING_SERVER** isn't used, this parameter will be ignored. | -| */PUBLISHING_WEBSITE_NAME* | Specifies name of the website that will be created for the publishing service. For example, ```/PUBLISHING_WEBSITE_NAME="Microsoft App-V Publishing Service"```. | -| */PUBLISHING_WEBSITE_PORT* | Specifies the port number used by the publishing service. For example, ```/PUBLISHING_WEBSITE_PORT=83```. | - -### Parameter definitions for Reporting Server - -| Parameter | Description | -|-----------|-------------| -| */REPORTING_SERVER* | Specifies that the Reporting Server will be installed. No value is expected. | -| */REPORTING_WEBSITE_NAME* | Specifies name of the website that will be created for the Reporting Service. For example, ```/REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"```. | -| */REPORTING_WEBSITE_PORT* | Specifies the port number that the Reporting Service will use. For example, ```/REPORTING_WEBSITE_PORT=82```. | - -### Parameters for using an existing Reporting Server database - -| Parameter | Description | -|-----------|-------------| -| */EXISTING\_REPORTING\_DB_SQL_SERVER_USE_LOCAL* | Indicates that the Microsoft SQL Server is installed on the local server. This is a switch parameter, so no value is expected. | -| */EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME* | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. For example, ```/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME="mycomputer1"```. | -| */EXISTING_REPORTING_DB_SQLINSTANCE_USE_DEFAULT* | Indicates that the default SQL instance is to be used. This is a switch parameter, so no value is expected. | -| */EXISTING_REPORTING_DB_CUSTOM_SQLINSTANCE* | Specifies the name of the custom SQL instance that should be used. Takes a string. For example, ```/EXISTING_REPORTING_DB_CUSTOM_SQLINSTANCE="MYSQLSERVER"```. | -| */EXISTING_REPORTING_DB_NAME* | Specifies the name of the existing Reporting database that should be used. Takes a string. For example, ```/EXISTING_REPORTING_DB_NAME="AppVReporting"```. | - -### Parameter definitions for Reporting Server database installation - -| Parameter | Description | -|-----------|-------------| -| */DB\_PREDEPLOY\_REPORTING* | Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected. | -| */REPORTING_DB_SQLINSTANCE_USE_DEFAULT* | Specifies the name of the custom SQL instance that should be used. Takes a string. For example, ```/REPORTING_DB_CUSTOM_SQLINSTANCE="MYSQLSERVER"```. | -| */REPORTING_DB_NAME* | Specifies the name of the new Reporting database that should be created. Takes a string. For example, ```/REPORTING_DB_NAME="AppVMgmtDB"```. | -| */REPORTING_SERVER_MACHINE_USE_LOCAL* | Indicates that the Reporting server that will be accessing the database is installed on the local server. This is a switch parameter, so no value is expected. | -| */REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT* | Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. For example, ```/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername"```. | -| */REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT* | Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. For example, ```/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias"```. | - -### Parameters for using an existing Management Server database - -| Parameter | Description | -|-----------|-------------| -| */EXISTING\_MANAGEMENT\_DB_SQL_SERVER_USE_LOCAL* | Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this variable will be ignored. | -| */EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME* | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. For example, ```/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME="mycomputer1"```. | -| */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT* | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this variable will be ignored. | -| */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE* | Specifies the name of the custom SQL instance that will be used. For example, ```/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE="AppVManagement"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this will be ignored. | -| */EXISTING_MANAGEMENT_DB_NAME* | Specifies the name of the existing management database that should be used. For example, ```/EXISTING_MANAGEMENT_DB_NAME="AppVMgmtDB"```. If **/DB_PREDEPLOY_MANAGEMENT** isn't specified, this will be ignored. | - - - - - -## Related articles - -* [Deploying the App-V Server](appv-deploying-the-appv-server.md) diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md deleted file mode 100644 index ccd4d5e8c22..00000000000 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -title: How to Deploy the App-V Server (Windows 10/11) -description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to Deploy the App-V Server (new installation) - ->Applies to: Windows Server 2016 - -## Before you start - ->[!IMPORTANT] ->If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. - -* Ensure that you’ve installed required software. See [App-V prerequisites](appv-prerequisites.md). -* Review the server section of [App-V security considerations](appv-security-considerations.md). -* Specify a port where each component will be hosted. -* Add firewall rules to allow incoming requests to access the specified ports. -* If you use SQL scripts instead of the Windows Installer to set up the Management database or Reporting database, you must run the required SQL scripts before installing the Management Server or Reporting Server. See [How to deploy the App-V databases by using SQL scripts](appv-deploy-appv-databases-with-sql-scripts.md). - -## Installing the App-V server - -1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: - - * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. - * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). - -2. Copy the App-V server installation files to the computer on which you want to install it. - -3. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. - -4. Review and accept the license terms, and choose whether to enable Microsoft updates. - -5. On the **Feature Selection** page, select all components listed in the following table. - - | Component | Description | - |---|---| - | Management server | Provides overall management functionality for the App-V infrastructure. | - | Management database | Facilitates database predeployments for App-V management. | - | Publishing server | Provides hosting and streaming functionality for virtual applications. | - | Reporting server | Provides App-V reporting services. | - | Reporting database | Facilitates database predeployments for App-V reporting. | - -6. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. - -7. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. - - | Method | What you need to do | - |---|---| - | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, then specify the instance name.
    Use the format **INSTANCENAME**. The assumed installation location is the local computer.
    Not supported: A server name using the format **ServerName**\\**INSTANCE**.| - | You are using a custom database name. | Select **Custom configuration** and type the database name.
    The database name must be unique, or the installation will fail.| - -8. On the **Configure** page, accept the default value, **Use this local computer**. - - > [!NOTE] - > If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. - -9. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. - - | Method | What you need to do | - |---|---| - | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.
    Use the format **INSTANCENAME**. The assumed installation location is the local computer.
    Not supported: A server name using the format **ServerName**\\**INSTANCE**.| - | You are using a custom database name. | Select **Custom configuration** and type the database name.
    The database name must be unique, or the installation will fail.| - -10. On the **Configure** page, accept the default value: **Use this local computer**. - - > [!NOTE] - > If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. - -11. On the **Configure** (Management Server Configuration) page, specify the following: - - | Item to configure | Description and examples | - |---|---| - | Specify AD group | Specify the AD group with sufficient permissions to manage the App-V environment. Example: MyDomain\MyUser

    After installation, you can add users or groups on the management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups to perform this action.| - |Website name | Specify the custom name that will be used to run the publishing service.
    If you do not have a custom name, you don't have to change it.| - |Port binding | Specify a unique port number that will be used by App-V. Example: **12345**
    Ensure that the port specified is not being used by another website. | - -12. On the **Configure Publishing Server Configuration** page, specify the following: - - | Item to configure | Description and examples | - |---|---| - | Specify the management service URL | Example: http://localhost:12345 | - | Website name | Specify the custom website name that will be used to run the publishing service.
    If you do not have a custom name, do not make any changes. | - | Port binding | Specify a unique port number that will be used by App-V. Example: 54321
    Ensure that the port specified is not being used by another website. | - -13. On the **Reporting Server** page, specify the following: - - | Item to configure | Description and examples | - |---|---| - | Website name | Specify the custom name that will be used to run the Reporting Service.
    If you do not have a custom name, do not make any changes. | - | Port binding | Specify a unique port number that will be used by App-V. Example: 55555
    Ensure that the port specified is not being used by another website.| - -14. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. - -15. To verify that the setup completed successfully, open a web browser, and type the following URL with the bracketed variables adjusted according to your specifications in the earlier steps: - - `http://:/console.html` - - Example: `http://localhost:12345/console.html`. If the installation succeeded, the App-V Management console will display with no errors. - -## Related articles - -* [Deploying App-V](appv-deploying-appv.md) -* [How to install the management and reporting databases on separate computers from the management and reporting services](appv-install-the-management-and-reporting-databases-on-separate-computers.md) -* [How to install the publishing server on a remote computer](appv-install-the-publishing-server-on-a-remote-computer.md) -* [How to deploy the App-V server using a script](appv-deploy-the-appv-server-with-a-script.md) diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md deleted file mode 100644 index 57ec0897716..00000000000 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Deploying App-V (Windows 10/11) -description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying App-V for Windows client - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -App-V supports several different deployment options. Review this article for information about the tasks that you must complete at different stages in your deployment. - -## App-V Deployment Information - -* [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) - - This section describes how to install the App-V sequencer used to virtualize applications, and how to enable the App-V client that runs on target computers to facilitate virtualized packages. -* [Deploying the App-V server](appv-deploying-the-appv-server.md) - - This section provides information about installing the App-V management, publishing, database, and reporting severs. -* [App-V deployment checklist](appv-deployment-checklist.md) - - This section provides a deployment checklist that can be used to assist with installing App-V. - -The following sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization. - -* [Deploying Microsoft Office 2016 by using App-V](appv-deploying-microsoft-office-2016-with-appv.md) -* [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) -* [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) - -## Other App-V deployment resources - -* [Application Virtualization (App-V) overview](appv-for-windows.md) -* [Getting started with App-V](appv-getting-started.md) -* [Planning for App-V](appv-planning-for-appv.md) -* [Operations for App-V](appv-operations.md) -* [Troubleshooting App-V](appv-troubleshooting.md) -* [Technical reference for App-V](appv-technical-reference.md) - - - - diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md deleted file mode 100644 index e68c95f2302..00000000000 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Deploying Microsoft Office 2010 by Using App-V -description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying Microsoft Office 2010 by Using App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods: - -* Application Virtualization (App-V) Sequencer -* Application Virtualization (App-V) Package Accelerator - -## App-V support for Office 2010 - -The following table shows the App-V versions, methods of Office package creation, supported licensing, and supported deployments for Office 2010. - -|Supported item|Support level| -|---|---| -|Package creation|- Sequencing
    - Package Accelerator
    - Office Deployment Kit| -|Supported licensing|Volume Licensing| -|Supported deployments|- Desktop
    - Personal VDI
    - RDS| - -## Creating Office 2010 App-V using the sequencer - -Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030). - -## Deploying the Microsoft Office package for App-V - -You can deploy Office 2010 packages by using any of the following App-V deployment methods: - -* Microsoft Configuration Manager -* App-V server -* Stand-alone through Windows PowerShell commands - -## Office App-V package management and customization - -Office 2010 packages can be managed like any other App-V packages through known package management mechanisms. No special instructions are needed, for example, to add, publish, unpublish, or remove Office packages. - -## Microsoft Office integration with Windows - -The following table provides a full list of supported integration points for Office 2010. - -(POPULATE THE THIRD COLUMN) - -|Extension Point|Description|Office 2010| -|---|---|---| -|Lync meeting Join Plug-in for Firefox and Chrome|User can join Lync meetings from Firefox and Chrome|| -|Sent to OneNote Print Driver|User can print to OneNote|Yes| -|OneNote Linked Notes|OneNote Linked Notes|| -|Send to OneNote Internet Explorer Add-In|User can send to OneNote from IE|| -|Firewall Exception for Lync and Outlook|Firewall Exception for Lync and Outlook|| -|MAPI Client|Native apps and add-ins can interact with virtual Outlook through MAPI|| -|SharePoint Plugin for Firefox|User can use SharePoint features in Firefox|| -|Mail Control Panel Applet|User gets the mail control panel applet in Outlook|Yes| -|Primary Interop Assemblies|Support managed add-ins|| -|Office Document Cache Handler|Allows Document Cache for Office applications|| -|Outlook Protocol Search handler|User can search in Outlook|Yes| -|Active X Controls:
    - Groove.SiteClient
    - PortalConnect.PersonalSite
    - SharePoint.openDocuments
    - SharePoint.ExportDatabase
    - SharePoint.SpreadSheetLauncher
    - SharePoint.StssyncHander
    - SharePoint.DragUploadCtl
    - SharePoint.DragDownloadCtl
    - Sharpoint.OpenXMLDocuments
    - Sharepoint.ClipboardCtl
    - WinProj.Activator
    - Name.NameCtrl
    - STSUPld.CopyCtl
    - CommunicatorMeetingJoinAx.JoinManager
    - LISTNET.Listnet
    - OneDrive Pro Browser Helper|Active X Control.

    For more information about ActiveX controls, see the [ActiveX Control API Reference](/previous-versions/office/developer/sharepoint-2010/ms440037(v=office.14)).|| -|OneDrive Pro Icon Overlays|Windows explorer shell icon overlays when users look at folders OneDrive Pro folders|| - -### Connection Groups - -* [Managing Connection Groups](appv-managing-connection-groups.md) - -### Dynamic Configuration - -* [About App-V Dynamic Configuration](appv-dynamic-configuration.md) diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md deleted file mode 100644 index 8b8c6ca547e..00000000000 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ /dev/null @@ -1,430 +0,0 @@ ---- -title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11) -description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying Microsoft Office 2013 by Using App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. - -## What to know before you start - -Before you deploy Office 2013 with App-V, review the following planning information. - -### Supported Office versions and Office coexistence - -The following table will direct you to more information about which versions of Office App-V supports and how to run App-V with coexisting versions of Office. - -|Information to review|Description| -|---|---| -|[Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#supported-versions-of-microsoft-office)|- Supported versions of Office
    - Supported deployment types like desktop, personal Virtual Desktop Infrastructure (VDI), and pooled VDI
    - Office licensing options.| -|[Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#before-you-implement-office-coexistence)|Considerations for installing different versions of Office on the same computer.| - -### Packaging, publishing, and deployment requirements - -Before you deploy Office with App-V, review the following requirements. - -|Task|Requirement| -|---|---| -|Packaging|All Office applications you wish to deploy to users must be in a single package.
    In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
    If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).| -|Publishing|You can only publish one Office package per client computer.
    You must publish the Office package globally, not to the user.| -|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
    You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| - -### Excluding Office applications from a package - -The following table describes the recommended methods for excluding specific Office applications from a package. - -|Task|Details| -|---|---| -|Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ad=US&rs=en-US&ui=en-US#excludeapp-element).| -|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.
    For more information, see [Disabling Office 2013 applications](#disabling-office-2013-applications).| - -## Creating an Office 2013 package for App-V with the Office Deployment Tool - -Complete the following steps to create an Office 2013 package for App-V or later. - ->[!IMPORTANT] ->In App-V and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. - -### Review prerequisites for using the Office Deployment Tool - -Before you start, ensure that the computer on which you're installing the Office Deployment Tool has the following prerequisites fulfilled: - -|Prerequisite|Description| -|---|---| -|Prerequisite software|.NET Framework 4| -|Supported operating systems|64-bit version of Windows 8 or later
    64-bit version of Windows 7| - ->[!NOTE] ->In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing. - -### Create Office 2013 App-V packages using Office Deployment Tool - -You create Office 2013 App-V packages with the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing. - -Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. - -### Download the Office Deployment Tool - -Office 2013 App-V Packages are created using the Office Deployment Tool, which generates an Office 2013 App-V Package. The App-V sequencer can't create or modify packages. To create a package: - -1. Download the [Office 2013 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778). -2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. - - Example: \\\\Server\\Office2013 -3. Check that a **setup.exe** and a **configuration.xml** file exist and are in the location you specified. - -### Download Office 2013 applications - -After you download the Office Deployment Tool, you can use it to get the latest Office 2013 applications. You can create the Office 2013 App-V package after getting all the Office applications. - -The XML file included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included. - -1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications: - - 1. Open the sample XML file in Notepad or your favorite text editor. - - 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following example denotes a configuration.xml file: - - ```XML - - - - - - - - - - - ``` - - > [!NOTE] - >The configuration XML is a sample XML file. This file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. - - The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. The Product ID of the applications won't affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic. - - After editing the configuration.xml file to specify the desired product, languages, and also the location that the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2013 applications that will later be converted into an App-V package. An example command is: - - ```PowerShell - \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml - ``` - - The following table describes each element of the command: - - |Element|Description| - |---|---| - |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, **Customconfig.xml**.| - |```setup.exe```|This element is the Office Deployment Tool.| - |```/download```|This element downloads the Office 2013 applications that you specify in the **Customconfig.xml** file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.| - |```\\server\Office2013\Customconfig.xml```|This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the XML configuration file, which in this example is ```\\Server\Office2013```.| - -#### Customizable attributes and elements of the XML file - -|Input and description|Example| -|---|---| -|Add element:
    Specifies the products and languages to include in the package.|N/A| -|OfficeClientEdition (attribute of Add element):
    Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** isn't set to a valid value.|```OfficeClientEdition="32"```
    ```OfficeClientEdition="64"```| -|Product element:
    Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.|```Product ID="O365ProPlusRetail"```
    ```Product ID="VisioProRetail"```
    ```Product ID="ProjectProRetail"```
    ```Product ID="ProPlusVolume"```
    ```Product ID="ProjectProVolume"```| -|Language element:
    Specifies the language supported in the applications.|```Language ID="en-us"```| -|Version (attribute of Add element):
    Optional. Specifies a build to use for the package. Defaults to latest advertised build (as defined in v32.CAB at the Office source).|```15.1.2.3```| -|SourcePath (attribute of Add element):
    Specifies the location where the applications will be saved to.|```Sourcepath="\Server\Office2013”```| - -### Convert the Office applications into an App-V package - -After you download the Office 2013 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2013 App-V package. You'll need to make sure to have the right procedure depending on your licensing model. - -#### What you'll need to do - -* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10/11 computers. -* Create an Office App-V package for either the Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, then modify the **Customconfig.xml** configuration file. - - The following table summarizes the values you need to enter in the **Customconfig.xml** file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. - -|Product ID|Volume Licensing|Subscription Licensing| -|---|---|---| -|Office 2013|ProPlusVolume|O365ProPlusRetail| -|Office 2013 with Visio 2013|ProPlusVolume
    VisioProVolume|O365ProPlusRetail
    VisioProRetail| -|Office 2013 with Visio 2013 and Project 2013|ProPlusVolume
    VisioProVolume
    ProjectProVolume|O365ProPlusRetail
    VisioProRetail
    ProjectProRetail| - -#### How to convert the Office applications into an App-V package - -1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file: - - * **SourcePath**: Point to the Office applications downloaded earlier. - * **ProductID**: Specify the type of licensing, as shown in the following examples: - * Subscription Licensing: - ```XML - - - - - - - - - - - ``` - In this example, the following changes were made to create a package with Subscription licensing: - - * **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier. - * **Product ID** for Office was changed to `O365ProPlusRetail`. - * **Product ID** for Visio was changed to `VisioProRetail`. - * Volume Licensing - ```XML - - - - - - - - - - - ``` - In this example, the following changes were made to create a package with Volume licensing: - - * **SourcePath** is the source's path, which was changed to point to the Office applications that were downloaded earlier. - * **Product ID** for Office was changed to `ProPlusVolume`. - * **Product ID** for Visio was changed to `VisioProVolume`. - * **ExcludeApp** (optional) lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath. - * **PACKAGEGUID** (optional)—By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server. - - An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users. - - > [!NOTE] - >Even if you use unique package IDs, you can still deploy only one App-V package to a single device. -2. Use the **/packager** command to convert the Office applications to an Office 2013 App-V package. - - For example: - - ```PowerShell - \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml \\server\share\Office2013AppV - ``` - - In the example: - - |Element|Description| - |---|---| - |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is named **Customconfig.xml**.| - |```setup.exe```|This element is the Office Deployment Tool.| - |```/packager```|This element creates the Office 2013 App-V package with Volume Licensing as specified in the **Customconfig.xml** file.| - |```\\server\Office2013\Customconfig.xml```|This element passes the configuration XML file, which in this example is named "Customconfig," that has been prepared for the packaging stage.| - |```\\server\share\Office2013AppV```|This element specifies the location of the newly created Office App-V package.| - - After you run the **/packager** command, the following folders will appear in the directory where you specified the package should be saved: - - * **App-V Packages**, which contains an Office 2013 App-V package and two deployment configuration files.
    - * **WorkingDir** - - > [!NOTE] - >To troubleshoot any issues, see the log files in the %temp% directory (default). -3. Verify that the Office 2013 App-V package works correctly: - - 1. Publish the Office 2013 App-V package that you created globally to a test computer and verify that the Office 2013 shortcuts appear. - 2. Start a few Office 2013 applications, such as Excel or Word, to test that your package is working as expected. - -## Publishing the Office package for App-V - -Use the following information to publish an Office package. - -### Methods for publishing Office App-V packages - -Deploy the App-V package for Office 2013 by using the same methods you use for any other package: - -* Microsoft Configuration Manager -* App-V Server -* Stand-alone through Windows PowerShell commands - -### Publishing prerequisites and requirements - -|Prerequisite or requirement|Details| -|---|---| -|Enable Windows PowerShell scripting on the App-V clients.|To publish Office 2013 packages, you must run a script. Package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:
    ```Set-AppvClientConfiguration –EnablePackageScripts 1```| -|Publish the Office 2013 package globally.|Extension points in the Office App-V package require installation at the computer level.
    When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2013 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages.| - -### How to publish an Office package - -Run the following command to publish an Office package globally, with the bracketed value replaced by the path to the App-V package: - -```PowerShell -Add-AppvClientPackage | Publish-AppvClientPackage –global -``` - -* From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group. - -## Customizing and managing Office App-V packages - -To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections. - -* [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) -* [Disabling Office 2013 applications](#disabling-office-2013-applications) -* [Disabling Office 2013 shortcuts](#disabling-office-2013-shortcuts) -* [Managing Office 2013 package upgrades](#managing-office-2013-package-upgrades) -* [Managing Office 2013 licensing upgrades](#managing-office-2013-licensing-upgrades) -* [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office) - -### Enabling Office plug-ins by using connection groups - -Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You can't use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps. - -#### To enable plug-ins for Office App-V packages - -1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. -3. Create an App-V package that includes the desired plug-ins. -4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. -5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created. - - >[!IMPORTANT] - >The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2013 App-V package first, then add the plug-in App-V package. -6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2013 App-V package. -7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2013 App-V package has. - - Since the Office 2013 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as **Integrated** and that both **InProcessEnabled** and **OutOfProcessEnabled** match the settings of the Office 2013 App-V package you published. -8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**. -9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the updated file. -10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2013 App-V package is in use when the Connection Group is enabled. If that happens, you'll have to reboot to successfully enable the Connection Group. -11. After you successfully publish both packages and enable the Connection Group, start the target Office 2013 application and verify that the plug-in you published and added to the Connection Group works as expected. - -### Disabling Office 2013 applications - -You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You don't have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you'll save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. - ->[!NOTE] ->To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element). - -#### To disable an Office 2013 application - -1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications." -2. Search for the Office application you want to disable, for example, Access 2013. -3. Change the value of "Enabled" from "true" to "false." -4. Save the Deployment Configuration File. -5. Add the Office 2013 App-V Package with the new Deployment Configuration File. - - ``` XML - - - InfoPath Filler 2013 - - - - - - - Lync 2013 - - - - - - - Access 2013 - - - - - ``` -6. Re-add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. - -### Disabling Office 2013 shortcuts - -You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access. - -1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”. -2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut. - - ```XML - Shortcuts - - --> - - - - - [{Common Programs}]\Microsoft Office 2013\Access 2013.lnk - [{AppvPackageRoot}])office15\MSACCESS.EXE - [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico - - - Microsoft.Office.MSACCESS.EXE.15 - true - Build a professional app quickly to manage data. - l - [{AppVPackageRoot}]\office15\MSACCESS.EXE - - ``` -3. Save the Deployment Configuration File. -4. Republish Office 2013 App-V Package with new Deployment Configuration File. - -Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. - -### Managing Office 2013 package upgrades - -To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2013 package, perform the following steps. - -#### How to upgrade a previously deployed Office 2013 package - -1. Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - - > [!NOTE] - > Office App-V packages have two Version IDs: - > * An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - > * A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package. -2. Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast. -3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. - -### Managing Office 2013 licensing upgrades - -If a new Office 2013 App-V Package has a different license than the Office 2013 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2013 and the new Office 2013 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade: - -#### How to upgrade an Office 2013 License - -1. Unpublish the already deployed Office 2013 Subscription Licensing App-V package. -2. Remove the unpublished Office 2013 Subscription Licensing App-V package. -3. Restart the computer. -4. Add the new Office 2013 App-V Package Volume Licensing. -5. Publish the added Office 2013 App-V Package with Volume Licensing. - -An Office 2013 App-V Package with your chosen licensing will be successfully deployed. - -### Deploying Visio 2013 and Project 2013 with Office - -This section describes the requirements and options for deploying Visio 2013 and Project 2013 with Office. - -* **To package and publish Visio 2013 and Project 2013 with Office**: Include Visio 2013 and Project 2013 in the same package with Office. If you aren’t deploying Office, you can create a package that contains Visio and/or Project. -* **To deploy Visio 2013 and Project 2013 to specific users**: Use one of the following methods: - -|Goal|Method| -|---|---| -|Create two different packages and deploy each one to a different group of users|Create and deploy the following packages:
    A package that contains only Office—deploy to computers whose users need only Office.
    A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.| -|Create just one package for the whole organization, or for users who share computers|Follow these steps:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project.| - -## Additional resources - -### Additional resources for Office 2013 App-V Packages - -* [Office 2013 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778) - -### Additional resources for Connection Groups - -* [Managing Connection Groups](appv-managing-connection-groups.md) -* [Connection groups on the App-V team blog](/archive/blogs/gladiator/app-v-5-more-on-connection-groups) - -### Additional resources for Dynamic Configuration - -* [About App-V Dynamic Configuration](appv-dynamic-configuration.md) diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md deleted file mode 100644 index e76a52b47d5..00000000000 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ /dev/null @@ -1,383 +0,0 @@ ---- -title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11) -description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying Microsoft Office 2016 by using App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). - -## What to know before you start - -Before you deploy Office 2016 with App-V, review the following planning information. - -### Supported Office versions and Office coexistence - -Use the following table to get information about supported versions of Office and running coexisting versions of Office. - -|Information to review|Description| -|---|---| -|[Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#supported-versions-of-microsoft-office)|Supported versions of Office and deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), and pooled VDI), and Office licensing options.| -|[Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#before-you-implement-office-coexistence)|Considerations for installing different versions of Office on the same computer.| - -### Packaging, publishing, and deployment requirements - -Before you deploy Office with App-V, review the following requirements. - -|Task|Requirement| -|-----------|-------------------| -| Packaging. | All Office applications that you deploy to users must be in a single package.
    In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
    If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). | -| Publishing. | You can only publish one Office package per client computer.
    You must publish the Office package globally, not to the user. | -| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). | - -### Excluding Office applications from a package - -The following table describes the recommended methods for excluding specific Office applications from a package. - -|Task|Details| -|-------------|---------------| -| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | With this setting, you can exclude specific Office applications from the package that the Office Deployment Tool creates. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ad=US&rs=en-US&ui=en-US#excludeapp-element). | -| Modify the DeploymentConfig.xml file | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
    For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications). | - -## Creating an Office 2016 package for App-V with the Office Deployment Tool - -Complete the following steps to create an Office 2016 package for App-V. - ->[!IMPORTANT] ->In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You can't use the Sequencer to create packages. - -### Review prerequisites for using the Office Deployment Tool - -The computer on which you're installing the Office Deployment Tool must have the following: - -| Prerequisite | Description | -|----------------------|--------------------| -| Prerequisite software | .NET Framework 4 | -| Supported operating systems | 64-bit version of Windows 10/11
    64-bit version of Windows 8 or 8.1
    64-bit version of Windows 7 | - ->[!NOTE] ->In this topic, the term “Office 2016 App-V package” refers to subscription licensing. - -### Create Office 2016 App-V packages with the Office Deployment Tool - -You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with subscription licensing. - -Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. - -### Download the Office Deployment Tool - -Office 2016 App-V packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package can't be created or modified through the App-V sequencer. To begin package creation, follow these steps: - -1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). - - >[!IMPORTANT] - >You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. -2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. - - Example location: \\\\Server\\Office2016 -3. Check that the **setup.exe** and **configuration.xml** files exist and are in the location you specified. - -### Download Office 2016 applications - -After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package. - -The XML file included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included. - -1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications: - 1. Open the sample XML file in Notepad or your favorite text editor. - 2. With the sample **configuration.xml** file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the **configuration.xml** file: - - ```XML - - - - - - - - - - - ``` - - > [!NOTE] - >The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To uncomment these lines, remove the `````` from the end of the line. - - The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. The Product ID of the applications won't affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements: - - | Input | Description | Example | - |--------------|----------------------------|----------------| - | Add element | Specifies which products and languages the package will include. | N/A | - | **OfficeClientEdition** (attribute of **Add** element) | Specifies whether Office 2016 32-bit or 64-bit edition will be used. **OfficeClientEdition**  must be set to a valid value for the operation to succeed. | `OfficeClientEdition="32"`
    `OfficeClientEdition="64"` | - | Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.
    For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](/office365/troubleshoot/installation/product-ids-supported-office-deployment-click-to-run). | `Product ID ="O365ProPlusRetail"`
    `Product ID ="VisioProRetail"`
    `Product ID ="ProjectProRetail"` | - | Language element | Specifies which language the applications support. | `Language ID="en-us"` | - | Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
    Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` | - | SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` | - | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
    The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
    For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
    `Channel="Deferred"`
    `Channel="FirstReleaseDeferred"`
    `Channel="FirstReleaseCurrent"` | - -After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml." -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. An example command is: - - `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml` - - The following table describes the example command's elements: - - | Element | Description | - |-------------------------------|--------------------------------------| - | ```\\server\Office2016``` | This network share location is the one that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**. | - | ``Setup.exe`` | This element is the Office Deployment Tool. | - | ```/download``` | Downloads the Office 2016 applications that you specify in the **Customconfig.xml** file. | - | ```\\server\Office2016\Customconfig.xml```| This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. | - -### Convert the Office applications into an App-V package - -After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model. - -#### What you’ll need to do - -* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10/11 computers. -* Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the **Customconfig.xml** configuration file. - - The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make. - ->[!NOTE] ->You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. - -| Product ID | Subscription licensing | -|---|---| -| Office 2016| O365ProPlusRetail | -| Office 2016 with Visio 2016 | O365ProPlusRetail
    VisioProRetail | -| Office 2016 with Visio 2016 and Project 2016 | O365ProPlusRetail
    VisioProRetail
    ProjectProRetail | - -#### How to convert the Office applications into an App-V package - -1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file: - - * **SourcePath**: Change to the location where you saved the Office applications you downloaded during setup. - * **ProductID**: Specify the type of licensing, as shown in the following example: - - * Subscription Licensing: - ```XML - - - - - - - - - - - ``` - This example made the following changes to create this Subscription Licensing package: - - * **SourcePath** was changed to point to the Office applications that were downloaded earlier. - * **Product ID** for Office was changed to `O365ProPlusRetail`. - * **Product ID** for Visio was changed to `VisioProRetail`. - * **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package created by the Office Deployment Tool. For example, you can exclude Access. - * **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use **PACKAGEGUID** to specify a different package ID for each package, which allows you to publish multiple App-V packages created by the Office Deployment Tool, and then manage your published packages with the App-V Server. - - An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users. - - > [!NOTE] - >Even if you use unique package IDs, you can still deploy only one App-V package to a single device. -2. Use the /packager command to convert the Office applications to an Office 2016 App-V package. - - An example packager command is: - - ```syntax - \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV - ``` - - The following table describes each element used in the example command: - - | Element | Description | - |-------------------------------|--------------------------------------| - |```\\server\Office2016```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is Customconfig.xml.| - |```Setup.exe```|This element is the Office Deployment Tool.| - |```/packager```|This command creates the Office 2016 App-V package with the license type specified in the Customconfig.xml file.| - |```\\server\Office2016\Customconfig.xml```|This element passes the configuration XML file that has been prepared for the packaging stage. In this example, the file is Customconfig.xml.| - |```\\server\share\Office2016AppV```|This element specifies the location of the newly created Office App-V package.| - - After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: - - * **App-V Packages**—contains an Office 2016 App-V package and two deployment configuration files. - * **WorkingDir** - - > [!NOTE] - >To troubleshoot any issues, see the log files in the %temp% directory (default). -3. Verify that the Office 2016 App-V package works correctly: - - 1. Publish the Office 2016 App-V package that you created globally to a test computer and verify that the Office 2016 shortcuts appear. - 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected. - -## Publishing the Office package for App-V - -Use the following information to publish an Office package. - -### Methods for publishing Office App-V packages - -Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed: - -* Microsoft Configuration Manager -* App-V Server -* Stand-alone through Windows PowerShell commands - -### Publishing prerequisites and requirements - -| Prerequisite or requirement | Details | -|---------------------------------------|--------------------| -| Enable Windows PowerShell scripting on the App-V clients. | To publish Office 2016 packages, you must run a script. However, package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:
    `Set-AppvClientConfiguration -EnablePackageScripts 1` | -| Publish the Office 2016 package globally. | Extension points in the Office App-V package require installation at the computer level.
    When you publish at the computer level, no prerequisite actions or redistributables are needed. The Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages. | - -### How to publish an Office package - -Run the following command to publish an Office package globally: - -```PowerShell -Add-AppvClientPackage | Publish-AppvClientPackage -global -``` - -* You can add permissions to a group of computers instead of just a user group through the Web Management Console on the App-V Server. This feature lets packages be published globally to the computers in the corresponding group. - -## Customizing and managing Office App-V packages - -To manage your Office App-V packages, use the same operations as you would for any other package, with a few exceptions as outlined in the following sections. - -* [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) -* [Disabling Office 2016 applications](#disabling-office-2016-applications) -* [Disabling Office 2016 shortcuts](#disabling-office-2016-shortcuts) -* [Managing Office 2016 package upgrades](#managing-office-2016-package-upgrades) -* [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office) - -### Enabling Office plug-ins by using connection groups - -The following steps will tell you how to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that only contains the plug-ins (you can't use the Office Deployment Tool to create the plug-ins package). After that, create a connection group that contains the Office package and the plug-ins package. - -#### Enable plug-ins for Office App-V packages - -1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet. -2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins. -3. Create an App-V package that includes the plug-ins you want. -4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. -5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. - - >[!IMPORTANT] - >The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package. -6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match published Office 2016 App-V package's global settings. -7. Verify that the plug-in package's Deployment Configuration file has the same settings as the Office 2016 App-V package. - - The Office 2016 App-V plug-in package's settings must match those of the operating system to allow for integration. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published. -8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**. -9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file. -10. Ensure that the Connection Group you created on your desired computer is enabled. The Connection Group created will be shown as "pending" if the Office 2016 App-V package is being used while the Connection Group is enabled. If that happens, you'll have to reboot the computer to successfully enable the Connection Group. -11. After you successfully publish both packages and enable the Connection Group, verify the plug-ins you published on the Connection Group work as expected. - -### Disabling Office 2016 applications - -You can also disable specific applications in your Office App-V package. For example, if you don't want to use Access, you can disable Access while leaving all other Office applications available. When you disable an application, the user will no longer see its shortcut icon. You don't need to re-sequence the application to disable it. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, just save the changes and add the Office 2016 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. - ->[!NOTE] ->To exclude specific Office applications when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. - -#### Disable an Office 2016 application - -1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications." -2. Search for the Office application you want to disable, for example, Access 2016. -3. Change the value of **Enabled** to **false**. -4. Save the Deployment Configuration File. -5. Add the Office 2016 App-V Package with the new Deployment Configuration File. - - ```XML - - - Lync 2016 - - - - - - - Access 2016 - - - - - ``` -6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. - -### Disabling Office 2016 shortcuts - -You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access. - -#### Disable shortcuts for Office 2016 applications - -1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”. -2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. The following example shows how to delete the Microsoft Access shortcuts while keeping the subsystems ` ` intact. - - ``` XML - Shortcuts - - --> - - - - - [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk - [{AppvPackageRoot}])office16\MSACCESS.EXE - [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico - - - Microsoft.Office.MSACCESS.EXE.16 - true - Build a professional app quickly to manage data. - l - [{AppVPackageRoot}]\office16\MSACCESS.EXE - - ``` -3. Save the Deployment Configuration File. -4. Republish the Office 2016 App-V Package with the new Deployment Configuration File. - -Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. - -### Managing Office 2016 package upgrades - -To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the steps outlined in the following section. - -#### How to upgrade a previously deployed Office 2016 package - -1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - - > [!NOTE] - >Office App-V packages have two Version IDs: - >* An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - >* A second App-V Package Version ID, formatted as X.X.X.X, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect the new version of Office. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. -2. Globally publish the newly created Office 2016 App-V Packages onto the computers you want to apply the new updates to. Since the new package has the same lineage as the older Office 2016 App-V Package, publishing will be fast, as publishing the new package with the updates only applies the new changes to the old package. -3. Upgrades will be applied in the same manner of any globally published App-V packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. - -### Deploying Visio 2016 and Project 2016 with Office - -The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office. - -| Task | Details | -|---------------------|---------------| -| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
    If you're not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. | -| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
    **To create two different packages and deploy each one to a different group of users**:
    Create and deploy the following packages:
    - A package that contains only Office—deploy to computers whose users need only Office.
    - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.

    **To create only one package for the whole organization, or to create a package intended for users who share computers**:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. | - -## Related articles - -* [Deploying App-V for Windows client](appv-deploying-appv.md) -* [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) -* [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) -* [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md deleted file mode 100644 index f9ba5b9a574..00000000000 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Deploying App-V packages by using electronic software distribution (ESD) -description: Deploying App-V packages by using electronic software distribution (ESD) -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying App-V packages by using electronic software distribution (ESD) - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). - -To learn how to deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv) - -## How to deploy virtualized packages using an ESD - -To learn more about how to deploy virtualized packages using an ESD, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md). - -## How to enable only administrators to publish packages by using an ESD - -To learn how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD, see [How to enable only administrators to publish packages by using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md). - -## Related articles - -- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885) -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md deleted file mode 100644 index d9f21502187..00000000000 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Deploying the App-V Sequencer and configuring the client (Windows 10/11) -description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying the App-V Sequencer and configuring the client - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -The App-V Sequencer and client let administrators virtualize and run virtual applications. - -## Enable the client - -The App-V client is the component that runs a virtualized application on a target computer. The client lets users interact with icons and file types, starting virtualized applications. The client can also get the virtual application content from the management server. - ->[!NOTE] ->Starting with Windows 10 version 1607, App-V is included with the operating system. You only need to enable it. - -[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) - -## Client configuration settings - -The App-V client stores its configuration in the registry. Understanding the format used in the data registry can help you learn useful information about the client. For information about client settings that you can configure through Windows PowerShell or through the registry, see [About client configuration settings](appv-client-configuration-settings.md). - -## Configure the client by using the ADMX template and Group Policy - -You can use Group Policy to configure the client settings for the App-V client and the Remote Desktop Services client. - -To manage the ADMX template, perform the following steps on the computer that you'll use to manage Group Policy. This computer is typically the Domain Controller. - -1. Save the **.admx** file to the following directory: ```Windows\PolicyDefinitions``` -2. Save the **.adml** file to the following directory: ```Windows\PolicyDefinitions\``` - -After you've completed the preceding steps, you can use Group Policy to configure the client settings by using the Group Policy Management Console under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. - -## Understanding Shared Content Store mode for App-V clients - -App-V Shared Content Store (SCS) mode lets SCS App-V clients run virtualized applications without having to save any of the associated package data locally. All required virtualized package data is transmitted across the network; therefore, you should only use SCS mode in environments with a fast connection. Both the Remote Desktop Services (RDS) and the standard version of the App-V client are supported with SCS mode. - ->[!IMPORTANT] ->If the App-V client is configured to run in the SCS mode, the location where the App-V packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V client in the SCS mode across the internet. - -Additionally, the SCS isn't a physical location that contains virtualized packages. It's a mode that allows the App-V client to stream the required virtualized package data across the network. - -The SCS mode is helpful in the following scenarios: - -* Virtual desktop infrastructure (VDI) deployments -* Remote Desktop Services deployments - -To use SCS in your environment, you must configure the App-V client to run in SCS mode, as it doesn't use SCS mode by default. - -There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This pre-load operation can be rendered a successful one with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package wouldn't stream across the network because it would be locally stored. - -### Configure the Group Policy setting for the SCS Mode for App-V clients - -Use the following steps to locate and configure the Group Policy setting for the SCS Mode for App-V clients. - -1. In the Group Policy Management Console, navigate to **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Streaming**. -2. Enable the **Set the Shared Content Mode (SCS) mode** setting. - -### Configure an individual client to use SCS mode - -To configure the App-V client to run in SCS mode, on the client, enter the following Windows PowerShell command: - -```PowerShell -Set-AppvClientConfiguration -SharedContentStoreMode 1 -``` - -## Deploy the Sequencer - -The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications. - -For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md). - -To deploy the sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md). - -## App-V client and Sequencer logs - -You can use the App-V Sequencer log information to troubleshoot Sequencer installation and operational events while using App-V. The Sequencer-related log information can be reviewed with the **Event Viewer**. The following file path is the specific path for Sequencer-related events: - -**Event Viewer\Applications and Services Logs\Microsoft\App V**. - ->[!NOTE] ->Sequencer-related events are prepended with **AppV\_Sequencer**. Client-related events are prepended with **AppV\_Client**. - - - diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md deleted file mode 100644 index 35e22a14003..00000000000 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ /dev/null @@ -1,118 +0,0 @@ ---- -title: Deploying the App-V Server (Windows 10/11) -description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Deploying the App-V server - ->Applies to: Windows Server 2016 - -You can install the Application Virtualization (App-V) server components using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V security considerations](appv-security-considerations.md). - ->[!NOTE] ->If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows client. - -To learn more about deploying App-V for Windows client, read [What's new in App-V](appv-about-appv.md). - ->[!IMPORTANT] ->Before installing and configuring the App-V servers, you must specify the port or ports where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports, as the installer does not modify firewall settings. - -## Download and install App-V server components - ->[!NOTE] ->If you're already using App-V 5.x, you don't need to re-deploy the App-V server components, as they haven't changed since App-V 5.0 was released. - -App-V offers the following five server components, each of which serves a specific purpose in an App-V environment. - -* **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server. - - > [!NOTE] - > If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V. - -* **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. For more information about the management database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md). - -* **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. To learn how to configure the publishing server, see [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md). - -* **Reporting server.** Use the App-V reporting server to generate reports that help you manage your App-V infrastructure. The reporting server requires a connection to the reporting database. To learn more about App-V's reporting capabilities, see [About App-V reporting](appv-reporting.md). - -* **Reporting database.** Use the App-V reporting database to facilitate database pre-deployments for App-V reporting. To learn more about the reporting database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md). - -All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: - -* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. -* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). - -In large organizations, you might want to install more than one instance of the server components to get the following benefits. - -* Fault tolerance for situations when one of the servers is unavailable. -* High availability to balance server requests. A network load balancer can also help you achieve this. -* Scalability to support high loads. For example, you can install additional servers behind a network load balancer. - -## App-V standalone deployment - -The App-V standalone deployment's topology is good for small deployments or test environments. In this implementation type, all server components are installed on a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V components. However, because services and associated databases will compete for the computer's resources, it's not a good idea to use the standalone deployment for larger deployments. - -The following articles will give you more information about how to set up an App-V standalone deployment. - -* [How to deploy the App-V server](appv-deploy-the-appv-server.md) -* [How to deploy the App-V server using a script](appv-deploy-the-appv-server-with-a-script.md) - -## App-V server distributed deployment - -The distributed deployment topology can support a large App-V client base, allowing you to more easily manage and scale your environment. When you use this type of deployment the App-V server components are deployed across multiple computers, based on your organization's structure and requirements. - -* [How to install the management and reporting databases on separate computers from the management and reporting services](appv-install-the-management-and-reporting-databases-on-separate-computers.md) -* [How to install the management server on a standalone computer and connect it to the database](appv-install-the-management-server-on-a-standalone-computer.md) -* [How to deploy the App-V server using a script](appv-deploy-the-appv-server-with-a-script.md) -* [How to install the publishing server on a remote computer](appv-install-the-publishing-server-on-a-remote-computer.md) -* [How to install the management server on a standalone computer and connect it to the database](appv-install-the-management-server-on-a-standalone-computer.md) - -## Using an Enterprise Software Distribution (ESD) solution and App-V - -You can also deploy packages with an ESD. Its full integration capabilities will vary depending on which ESD you use. - ->[!NOTE] ->The App-V reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality. - -* [Deploying App-V packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - -## App-V Server logs - -You can use App-V server log information to help troubleshoot the server installation and operational events while using App-V. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events: - -**Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V** - -Associated setup logs are saved in the following directory: - -**%temp%** - -## App-V reporting - -App-V reporting allows App-V clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V client collects: - -* Information about the computer running the App-V client. -* Information about virtualized packages on a specific computer running the App-V client. -* Information about package open and shutdown for a specific user. - -The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services (SSRS) to generate any necessary reports. - -If you want to retrieve report information, you must use Microsoft SQL SSRS, which is available with Microsoft SQL. SSRS must be deployed separately to generate the associated reports, as it isn't automatically installed during App-V server installation. - -For more information, see [About App-V reporting](appv-reporting.md) and [How to enable reporting on the App-V client by using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md). - -## Other App-V server resources - -* [Deploying App-V](appv-deploying-appv.md) - - - - diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md deleted file mode 100644 index 0b06042ae16..00000000000 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: App-V Deployment Checklist (Windows 10/11) -description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# App-V Deployment Checklist - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. - -|Status|Task|References|Notes| -|---|---|---|---| -|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)|| -|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
    [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
    [How to deploy the App-V server](appv-deploy-the-appv-server.md)|| - ->[!NOTE] ->Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process. - - - - - -## Related articles - -* [Deploying App-V](appv-deploying-appv.md) diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md deleted file mode 100644 index d6073f10c0b..00000000000 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ /dev/null @@ -1,617 +0,0 @@ ---- -title: About App-V Dynamic Configuration (Windows 10/11) -description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# About App-V dynamic configuration - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. - -When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. Therefore, package customization is made more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent. - -## Advanced: dynamic configuration - -Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no further customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: - -- User Configuration file -- Deployment Configuration file - -These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This result provides you with a package-specific template to get started if any of the defaults must be changed. - ->[!NOTE] ->The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. - -## Dynamic Configuration file contents - -All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. The following list represents the relationship between these files in how they'll be read, from most to least precedence: - -- User Configuration .xml file -- Deployment Configuration .xml file -- Package Manifest - -The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to the override of the Package Manifest's defaults, it will override both the deployment configuration and the Package Manifest's defaults. - -There are two types of configuration files: - -- **User Configuration file (UserConfig)**: Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client. -- **Deployment Configuration file (DeploymentConfig)**: Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client. - -You can use the UserConfig file to customize the settings for a package for a specific set of users on a computer or make changes that will be applied to local user locations such as HKCU. You can use the DeploymentConfig file to modify the default settings of a package for all users on a machine or make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the All Users folder. - -The UserConfig file provides configuration settings that you can apply to a single user without affecting any other users on a client: - -- Extensions that will be integrated into the native system per user: shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. -- Virtual Subsystems: Application Objects, Environment variables, Registry modifications, Services, and Fonts. -- Scripts (user context only). - -The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the preceding UserConfig list: - -- All UserConfig settings from the preceding section in this topic -- Extensions that can only be applied globally for all users -- Virtual Subsystems that can be configured for global machine locations, such as the registry -- Product Source URL -- Scripts (Machine context only) -- Controls to terminate child processes - -## File structure - -The structure of the App-V Dynamic Configuration file is explained in the following section. - -## Dynamic User Configuration file - -### Header - -An example of a Dynamic User Configuration file's header is: - -```xml - - -``` - -The **PackageId** is the same value that exists in the Manifest file. - -### Dynamic User Configuration file body - -The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, and the information to configure virtual applications. There are four subsections allowed in the body: - -**Applications**: All app-extensions contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. - -```xml - - - - - - - … - -``` - -**Subsystems**: AppExtensions and other subsystems are arranged as subnodes under ``, as shown in the following example. - -```xml - - - .. - - .. - -``` - -Each subsystem can be enabled/disabled using the **Enabled** attribute. The following sections describe the various subsystems and usage samples. - -### Dynamic User Configuration file extensions - -Extension Subsystems control extensions. These subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. - -Extension Subsystems can be enabled and disabled independently of the content.  Therefore, if Shortcuts are enabled, the client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an `` node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. - -### Examples of the shortcuts subsystem - -#### Example 1 - -Content will be ignored if the user defined the following syntaxes in either the dynamic or deployment config file: - -```xml -                               -                                           -                                   -``` - -#### Example 2 - -Content in the manifest will be integrated during publishing if the user defined only the following syntax: - -```xml - -                             `` -``` - -#### Example 3 - -All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following syntaxes: - -```xml -                            -                                           -                                   -``` - -### Supported Extension Subsystems - -**Shortcuts**: This subsystem controls shortcuts that will be integrated into the local system. The following example has two shortcuts: - -```xml - - -   -     -       -         \[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk -         \[{PackageRoot}\]\\Contoso\\ContosoApp.EXE -         \[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe -          -          -         ContosoApp.Filler.3 -         Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp. -         0 -         1 -         \[{PackageRoot}\]\\Contoso\\ContosoApp.EXE -        -   -   -      -       \[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK -       \[{AppData}\]\\Microsoft\\Templates -        -        -        -        -        -       0 -       1 -        -      -   -   - -``` - -**File Type Associations**: Associates file types with programs to open by default and to set up the context menu. (MIME types can also be set up with this subsystem.) An example of a FileType association is: - -```xml - - - - - - .docm - contosowordpad.DocumentMacroEnabled.12 - document - application/vnd.ms-contosowordpad.document.macroEnabled.12 - - wincontosowordpad.exe - - - contosowordpad.8 - - - - - - - true - - - - - - - - contosowordpad.DocumentMacroEnabled.12 - \[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15 - Blah Blah Blah - \[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182 - \[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424 - 0 - - Open - - {e56fa627-c35f-4a01-9e79-7d36aed8225a} - Edit - &Edit - "\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1" - - - {e56fa627-c35f-4a01-9e79-7d36aed8225a} - Open - &Open - "\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1" - - - mscontosowordpad - ShellSystem - \[SHELLNOOP\] - \[SetForeground\]\[ShellNewDatabase "%1"\] - - - - - - - - -``` - -**URL Protocols**: This subsystem controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol. - -```xml - - - - -   mailto -    -   \[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403 -   2 -   -   -   -   - -   -   -   2 -   -    -   open -    -   \[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE -   open -   \[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1" -   -   -   0 -   0 -   2 -     -   -   contosomail -   ShellSystem -   \[SHELLNOOP\] -   \[SetForeground\]\[ShellNewDatabase "%1"\] -   -   -   -   -   -   -   -   -``` - -**Software Clients**: Allows the app to register as an email client, news reader, or media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases, you only need to enable and disable it. There's also a control that lets you enable or disable the email client only in case you want all the other clients to remain as they are. - -```xml - -   - -``` - -**AppPaths**: If an application, such as contoso.exe, is registered with an apppath name of “myapp”, this subsystem lets you open the app by entering “myapp” into the run menu. - -```xml - - - - -   \[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE -   contosomail.exe -   \[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE -   -   false -   - - - - -``` - -**COM**: Allows an Application to register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. - -```xml - -``` - -### Other settings for Dynamic User Configuration file - -In addition to Extensions, the following other subsystems can be enabled/disabled and edited. - -#### Virtual Kernel Objects - -```xml - -```xml - -**Virtual Registry**: use this if you want to set a registry in the Virtual Registry within HKCU. - -```xml - - - - -   -   -   - -   -``` - -#### Virtual File System - -```xml -       -``` - -#### Virtual Fonts - -```xml -       -``` - -#### Virtual Environment Variables - -```xml - - -         -         -         -        -         -          -          -``` - -#### Virtual services - -```xml -       -``` - -#### UserScripts - -Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Refer to a sample User Configuration file output by the sequencer to see a sample script. For more information about the various triggers you can use to set up scripts, see the [Scripts](appv-dynamic-configuration.md#scripts) section. - -## Dynamic Deployment Configuration file - -### Dynamic Deployment Configuration file header - -The header of a Deployment Configuration file should look something like this: - -```xml - -``` - -The **PackageId** is the same value as the one that exists in the Manifest file. - -### Dynamic Deployment Configuration file body - -The body of the deployment configuration file includes two sections: - -- The User Configuration section allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. -- The Machine Configuration section contains information that can only be configured for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. - -```xml - - -.. - - -.. - -.. -     - -``` - -User Configuration: For more information about this section, see [Dynamic User Configuration](#dynamic-user-configuration-file). - -Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections. - -#### Subsystems - -AppExtensions and other subsystems are arranged as subnodes under ``: - -```xml - -   -   .. -   - .. - -``` - -The following section describes the various subsystems and usage samples. - -#### Extensions - -Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this subsystem can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration. - -#### Application Capabilities - -Application Capabilities extension is used by default programs in the Windows OS interface; it allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI. - -```xml - -   -     -      -      \[{PackageRoot}\]\\LitView\\LitViewBrowser.exe -       -       LitView Browser -       SOFTWARE\\LitView\\Browser\\Capabilities -       -     -      -      @\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345 -      @\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346 -      0 -      Lit View E-Mail Client -       -        -        -        -       -       -        -        -       -      -        -       -       -    -     -   - - -``` - -#### Other settings for Dynamic Deployment Configuration file - -You can edit other subsystems in addition to extensions: - -- Machine-wide Virtual Registry: Use this subsystem when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine. - -```xml - - -   -      -     -   -   - - -``` - -- Machine-wide Virtual Kernel Objects - -```xml - - -     -   - -``` - -- ProductSourceURLOptOut: Indicates whether the URL for the package can be modified globally through PackageSourceRoot to support branch office scenarios. It's set to False by default. Changes to the value take effect on the next launch. - -```xml - -   .. -    -   .. - -``` - -- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts. - -- TerminateChildProcess: You can use this subsystem to specify that an application executable's child processes will be terminated when the application.exe process is terminated. - -```xml - -   .. -    -      -      -      -    -   .. - -``` - -### Scripts - -The following table describes the various script events and the context under which they can be run. - -|Script execution time|Can be specified in Deployment Configuration|Can be specified in User Configuration|Can run in the package's virtual environment|Can be run in the context of a specific application|Runs in system/user context: (Deployment Configuration, User Configuration)| -|---|:---:|:---:|:---:|:---:|:---:| -|AddPackage|X||||(SYSTEM, N/A)| -|PublishPackage|X|X|||(SYSTEM, User)| -|UnpublishPackage|X|X|||(SYSTEM, User)| -|RemovePackage|X||||(SYSTEM, N/A)| -|StartProcess|X|X|X|X|(User, User)| -|ExitProcess|X|X||X|(User, User)| -|StartVirtualEnvironment|X|X|X||(User, User)| -|TerminateVirtualEnvironment|X|X|||(User, User)| - -### Using multiple scripts on a single event trigger - -App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows client. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. - -#### How to use multiple scripts on a single event trigger - -For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application will run each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. - ->[!NOTE] ->We recommended you first run the multi-script line from a command prompt to make sure all arguments are built correctly before adding them to the deployment configuration file. - -#### Example script and parameter descriptions - -Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run. - -```xml - - - ScriptRunner.exe - - -appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10 - -appvscript script2.vbs arg1 arg2 - -appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 –rollbackonerror - - - - -``` - -|Parameter in the example file|Description| -|---|---| -|``|Name of the event trigger you're running a script for, such as when adding or publishing a package.| -|`ScriptRunner.exe`|The script launcher application included in the App-V client.

    Although ScriptRunner.exe is included in the App-V client, the App-V client's location must be in %path% or ScriptRunner won't run. `ScriptRunner.exe` is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.| -|`-appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10`

    `-appvscript script2.vbs arg1 arg2`

    `-appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror`|`-appvscript`—token that represents the actual script you want to run.
    `script1.exe`—name of the script you want to run.
    `arg1 arg2`—arguments for the script you want to run.
    `-appvscriptrunnerparameters`—token that represents the execution options for script1.exe.
    `-wait`—token that tells ScriptRunner to wait for execution of script1.exe to finish before proceeding to the next script.
    `-timeout=x`—token that informs ScriptRunner to stop running the current script after *x* number of seconds. All other specified scripts will still run.
    `-rollbackonerror`—token that tells ScriptRunner to stop running all scripts that haven't yet run and roll back an error to the App-V client.| -|``|Waits for overall completion of ScriptRunner.exe.

    Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

    If any individual script reported an error and rollbackonerror was set to True, then ScriptRunner should report the error to App-V client.| - -ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type isn't associated with any of the computer's applications, the script won't run. - -### Create a Dynamic Configuration file using an App-V Manifest file - -You can create the Dynamic Configuration file using one of three methods: manually, using the App-V Management Console, or by sequencing a package, which will generate a package with two sample files. - -For more information about how to create the file using the App-V Management Console, see [How to create a Custom Configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md). - -To create the file manually, you can combine the components listed in the previous sections into a single file. However, we recommend you use files generated by the sequencer instead of manually created ones. - - - - - -## Related topics - -- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) -- [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md deleted file mode 100644 index 39c355141c7..00000000000 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: How to enable only administrators to publish packages by using an ESD -description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). -author: aczechowski -ms.service: windows-client -ms.subservice: itpro-apps -ms.date: 05/02/2022 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: how-to ---- - -# How to enable only administrators to publish packages by using an ESD - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you couldn't prevent end users from performing these tasks. - -Here's how to enable only administrators to publish or unpublish packages: - -1. Navigate to the following Group Policy Object node: - - **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**. - -2. Enable the **Require publish as administrator** Group Policy setting. - - To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). - - - - diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md deleted file mode 100644 index 757e57fbf23..00000000000 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11) -description: How to Enable Reporting on the App-V Client by Using Windows PowerShell -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to Enable Reporting on the App-V Client by Using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to configure the App-V for reporting. - -**To configure the computer running the App-V client for reporting** - -1. Enable the App-V client. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). - -2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings: - -|Setting|Description| -|--- |--- | -|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.| -|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
    **Note:**
    This is the port number that was assigned during the Reporting Server setup| -|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.| -|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.| -|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.| -|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| -|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| - -3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server. - - Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** cmdlet. - - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md deleted file mode 100644 index 7622c5c8ddd..00000000000 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Enable the App-V in-box client (Windows 10/11) -description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Enable the App-V in-box client - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -The App-V client is the component that runs virtualized applications on user devices. Once you enable the client, users can interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server. - -Starting with Windows 10 version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. - -Here's how to enable the App-V client with Group Policy: - -1. Open the device’s **Group Policy Editor**. -2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. -3. Run **Enables App-V Client**, then select **Enabled**. -4. Restart the device. - -Here's how to enable the App-V client with Windows PowerShell: - -1. Open Windows PowerShell. -2. Enter **Enable-Appv**, then select the Enter key. -3. Restart the device. -4. To verify that the App-V client is working, enter **Get-AppvStatus**, then select the Enter key. - -Check out these articles for more information about how to configure the App-V client: - -* [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) -* [How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md) -* [Using the client management console](appv-using-the-client-management-console.md) -* [How to configure the client to receive package and connection group updates from the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) - - - diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md deleted file mode 100644 index dc3deee0f36..00000000000 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Evaluating App-V (Windows 10/11) -description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Evaluating App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -> [!NOTE] -> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] - -Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this article to set up App-V in a lab environment for evaluation purposes only. - -## Configure lab computers for App-V Evaluation - -Use the following links for information about setting up the App-V sequencer on a computer in your lab environment. - -### Installing the App-V Sequencer and Creating Packages - -Use the following links for information about setting up the App-V sequencer and creating packages in your lab environment. - -- [How to Install the Sequencer](appv-install-the-sequencer.md) - -- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) - -### Configuring the App-V Server - -Use the following links for information about setting up the App-V server in your lab environment. - -- [How to Deploy the App-V server](appv-deploy-the-appv-server.md) - -- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) - -### Enabling the App-V Client - -Use the following links for more information about creating and managing virtualized packages in your lab environment. - -- [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) - -- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) - - -## Related articles - -- [Getting Started with App-V](appv-getting-started.md) diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md deleted file mode 100644 index b2ded1f2680..00000000000 --- a/windows/application-management/app-v/appv-for-windows.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Application Virtualization (App-V) (Windows 10/11) -description: See various articles that can help you administer Application Virtualization (App-V) and its components. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Application Virtualization (App-V) for Windows client overview - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -> [!NOTE] -> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] - -The articles in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users. - -[Getting started with App-V](appv-getting-started.md) - -- [What's new in App-V](appv-about-appv.md) -- [Evaluating App-V](appv-evaluating-appv.md) -- [High-level architecture for App-V](appv-high-level-architecture.md) - -[Planning for App-V](appv-planning-for-appv.md) - -- [Preparing your environment for App-V](appv-preparing-your-environment.md) -- [App-V prerequisites](appv-prerequisites.md) -- [Planning to deploy App-V](appv-planning-to-deploy-appv.md) -- [App-V supported configurations](appv-supported-configurations.md) -- [App-V planning checklist](appv-planning-checklist.md) - -[Deploying App-V](appv-deploying-appv.md) - -- [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) -- [Deploying the App-V Server](appv-deploying-the-appv-server.md) -- [App-V deployment checklist](appv-deployment-checklist.md) -- [Deploying Microsoft Office 2016 by using App-V](appv-deploying-microsoft-office-2016-with-appv.md) -- [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) -- [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) - -[Operations for App-V](appv-operations.md) - -- [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md) -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) -- [Administering App-V Virtual Applications by using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) -- [Managing connection groups](appv-managing-connection-groups.md) -- [Deploying App-V packages by using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) -- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) -- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) -- [Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md) -- [Maintaining App-V](appv-maintaining-appv.md) -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) - -[Troubleshooting App-V](appv-troubleshooting.md) - -[Technical reference for App-V](appv-technical-reference.md) - -- [Performance guidance for Application Virtualization](appv-performance-guidance.md) -- [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md) -- [Viewing App-V Server publishing metadata](appv-viewing-appv-server-publishing-metadata.md) -- [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) - - - diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md deleted file mode 100644 index aab10ec1a45..00000000000 --- a/windows/application-management/app-v/appv-getting-started.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Getting Started with App-V (Windows 10/11) -description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Getting started with App-V for Windows client - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -> [!NOTE] -> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] - -Microsoft Application Virtualization (App-V) for Windows delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. - -Starting with Windows 10 version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows client and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). - -If you’re already using App-V, performing an in-place upgrade to Windows 10/11 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10/11, see [Upgrading to App-V for Windows from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). - ->[!IMPORTANT] ->You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows. - -To learn more about previous versions of App-V, see [MDOP information experience](/microsoft-desktop-optimization-pack/index). - -## Getting started with App-V for Windows (new installations) - -To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows client components, what they do, and where to find them. - - - -| Component | What it does | Where to find it | -|------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more information, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

    If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

    If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

    If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

    For more information about installing and using the server components, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).| -| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.

    To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | -| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | - -For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md). - -If you're new to App-V, it's a good idea to read the documentation thoroughly. Before deploying App-V in a production environment, you can ensure installation goes smoothly by validating your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. To get started, see the [Microsoft Training Overview](https://www.microsoft.com/learning/default.aspx). - -## Getting started with App-V - -[What's new in App-V](appv-about-appv.md) provides a high-level overview of App-V and how it can be used in your organization? - -[Evaluating App-V](appv-evaluating-appv.md) provides information about how you can best evaluate App-V for use in your organization. - -[High Level Architecture for App-V](appv-high-level-architecture.md) provides a description of the App-V features and how they work together. - -## Other resources for this product - -* [Application Virtualization (App-V) overview](appv-for-windows.md) -* [Planning for App-V](appv-planning-for-appv.md) -* [Deploying App-V](appv-deploying-appv.md) -* [Operations for App-V](appv-operations.md) -* [Troubleshooting App-V](appv-troubleshooting.md) -* [Technical reference for App-V](appv-technical-reference.md) diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md deleted file mode 100644 index 1757dca790e..00000000000 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: High-level architecture for App-V (Windows 10/11) -description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# High-level architecture for App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment. - -## Architecture overview - -A typical App-V implementation consists of the following elements. - -|Element|Description| -|---|---| -|App-V Management server|The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment, which provides the following benefits:
    **Fault tolerance and high availability**—installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline. You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, consider using a network load balancer to keep server requests balanced.
    **Scalability**—you can add more management servers as necessary to support a high load. For example, you can install multiple servers behind a load balancer.| -|App-V Publishing Server|The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server doesn't require a database connection and supports HTTP and HTTPS protocols.
    You can also help increase App-V availability by installing the Publishing server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| -|App-V Reporting Server|The App-V Reporting server lets authorized users run and view existing App-V reports and unplanned reports for managing App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| -|App-V Client|The App-V client enables packages created using App-V to run on target computers.| - ->[!NOTE] ->If you are using App-V with electronic software distribution (ESD), you aren't required to use the App-V Management server. However, you can still use App-V's reporting and streaming functionality. - -## Related articles - -- [Getting Started with App-V](appv-getting-started.md) diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md deleted file mode 100644 index 911023aae03..00000000000 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11) -description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - - -# How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell - -**Applies to** -- Windows Server 2016 - -Use the following Windows PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts. - -Before attempting this procedure, you should read and understand the information and examples displayed in the following list: - -- **.INPUTS** – The account or accounts used to convert to SID format. This item can be a single account name or an array of account names. - -- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. - -- **Examples** - - - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**. - - **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** - - **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200** - - \#> - -**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)** - -1. Copy the following script into a text editor and save it as a Windows PowerShell script file, for example **ConvertToSIDs.ps1**. - -2. To open a Windows PowerShell console, click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. - - ```powershell - <# - .SYNOPSIS - This Windows PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats. - .DESCRIPTION - This is a Windows PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts. - .INPUTS - The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below. - .OUTPUTS - A list of account names with the corresponding SID in standard and hexadecimal formats - .EXAMPLE - .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List - .EXAMPLE - $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2") - .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200 - #> - - function ConvertSIDToHexFormat - { -    param([System.Security.Principal.SecurityIdentifier]$sidToConvert) -    $sb = New-Object System.Text.StringBuilder -     [int] $binLength = $sidToConvert.BinaryLength -     [Byte[]] $byteArray = New-Object Byte[] $binLength -    $sidToConvert.GetBinaryForm($byteArray, 0) -    foreach($byte in $byteArray) -    { -    $sb.Append($byte.ToString("X2")) |Out-Null -    } -    return $sb.ToString() - } - [string[]]$myArgs = $args - if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0)) - { - [string]::Format("{0}====== Description ======{0}{0}" + - "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + -                "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" + -                "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" + -                "  And can be written out to a file using standard Windows PowerShell redirection{0}" + -                "  Please specify user accounts in the format 'DOMAIN\username'{0}" + -                "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" + -                "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + -                "{0}====== Arguments ======{0}" + -                "{0}  /?    Show this help message", [Environment]::NewLine) - { - else - {  -     #If an array was passed in, try to split it -     if($myArgs.Length -eq 1) -     { -         $myArgs = $myArgs.Split(' ') -     } - -     #Parse the arguments for account names -     foreach($accountName in $myArgs) -     {    -         [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject -         if($splitString.Length -ne 2) -         { -             $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName) -             Write-Error -Message $message -             continue -         } -         #Convert any account names to SIDs -         try -         { -             [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1]) -             [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier])) -         } -         catch [System.Security.Principal.IdentityNotMappedException] -         { -             $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString()) -             Write-Error -Message $message -             continue -         } - -         #Convert regular SID to binary format used by SQL -         $hexSIDString = ConvertSIDToHexFormat $SID -         $SIDs = New-Object PSObject -         $SIDs | Add-Member NoteProperty Account $accountName -         $SIDs | Add-Member NoteProperty SID $SID.ToString() -         $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString - -         Write-Output $SIDs -     } - } - ``` - -3. Run the script you saved in Step 1 of this procedure passing the accounts to convert as arguments. - - For example, - - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** - - **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”** - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md deleted file mode 100644 index ba5480496de..00000000000 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11) -description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services - ->Applies to: Windows Server 2016 - -Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail. - ->[!NOTE] ->After you complete the deployment, the administrator installing the service will need the Microsoft SQL Server name, instance name and the database name to connect to these databases. - -## Installing the management database and the management server on separate computers - -1. Copy the App-V server installation files to the computer you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. -2. On the **Getting started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**, then select **Next**. -4. On the **Feature selection** page, select the components you want to install by first selecting the **Management Server Database** checkbox, then selecting **Next**. -5. On the **Installation location** page, accept the default location and select **Next**. -6. On the initial **Create new management server database** page, accept the default selections if appropriate, then select **Next**. - * If you are using a custom SQL Server instance, select **Use a custom instance** and enter the name of the instance. - * If you are using a custom database name, select **Custom configuration** and enter the database name. -7. On the next **Create new management server database** page, select **Use a remote computer**, then enter the remote machine account using the following format: ```Domain\MachineAccount```. - - > [!NOTE] - >If you plan to deploy the management server on the same computer you must select **Use this local computer**. Specify the user name for the management server **Install Administrator** using the following format: ```Domain\AdministratorLoginName```. After that, select **Next**. -8. To start the installation, select **Install**. - -## Installing the reporting database and the reporting server on separate computers - -1. Copy the App-V server installation files to the computer you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. -2. On the **Getting started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**. After that, select **Next**. -4. On the **Feature selection** page, select the components you want to install by first selecting the **Reporting Server Database** checkbox, then selecting **Next**. -5. On the **Installation Location** page, accept the default location and select **Next**. -6. On the initial **Create new management server database** page, accept the default selections if appropriate, then select **Next**. - * If you're using a custom SQL Server instance, select **Use a custom instance** and enter the instance name. - * If you're using a custom database name, select **Custom configuration** and enter the database name. -7. On the next **Create new management server database** page, select **Use a remote computer**, and enter the remote machine account using the following format: ```Domain\MachineAccount```. - - > [!NOTE] - >If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. Specify the user name for the reporting server **Install Administrator** using the following format: Domain\\AdministratorLoginName. After that, select **Next**. -8. To start the installation, select **Install**. - -## Installing the management and reporting databases using App-V database scripts - -1. Copy the App-V server installation files to the computer on which you want to install it on. -2. To extract the App-V database scripts, open a command prompt and specify the location where the installation files are saved and run the following command: - - ```SQL - appv\_server\_setup.exe /LAYOUT /LAYOUTDIR=”InstallationExtractionLocation” - ``` - -3. After the extraction has been completed, to access the App-V database scripts and instructions readme file: - - * The App-V Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**. - * The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**. -4. For each database, copy the scripts to a share and modify them following the instructions in the readme file. - - > [!NOTE] - >For more information about modifying the required SIDs contained in the scripts, see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md). -5. Run the scripts on the computer running Microsoft SQL Server. - - - - - -## Related articles - -* [Deploying App-V](appv-deploying-appv.md) diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md deleted file mode 100644 index a9263f3cba7..00000000000 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11) -description: How to install the Management Server on a Standalone Computer and Connect it to the Database -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to install the Management Server on a Standalone Computer and Connect it to the Database - ->Applies to: Windows Server 2016 - -To install the management server on a standalone computer and connect it to the database, follow these steps. - -1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. -2. On the **Getting Started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. -4. On the **Feature Selection** page, select the **Management Server** checkbox, then select **Next**. -5. On the **Installation Location** page, accept the default location, then select **Next**. -6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```. - - > [!NOTE] - >If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance**, then enter the instance's name. Specify the **SQL Server Database name** that this management server will use, such as ```AppvManagement```. -7. On the **Configure management server configuration** page, specify the following items: - * The AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation - * The **Website Name** you want to use for the management service. Accept the default if you do not have a custom name. - * For the **Port Binding**, specify a unique port number, such as **12345**. -8. Select **Install**. -9. To confirm that the setup has completed successfully, open a web browser and enter the following URL: https://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings displayed. - - - - - -## Related articles - -* [Deploying App-V](appv-deploying-appv.md) diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md deleted file mode 100644 index b25c54796cf..00000000000 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Install the Publishing Server on a Remote Computer (Windows 10/11) -description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to install the publishing server on a remote computer - ->Applies to: Windows Server 2016 - -Use the following procedure to install the publishing server on a separate computer. Before you perform the following procedure, ensure the database and management server are available. - -## Installing the publishing server on a separate computer - -1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. -2. On the **Getting started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**. Click **Next**. -4. On the **Feature selection** page, select the **Publishing Server** checkbox, then select **Next**. -5. On the **Installation location** page, accept the default location, then select **Next**. -6. On the **Configure publishing server configuration** page, specify the following items: - - * The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**. - * Specify the website name that you want to use for the publishing service. If you don't have a custom name, then use the default name. - * For the **Port binding**, specify a unique port number that will be used by App-V. For example, **54321**. -7. On the **Ready to install** page, select **Install**. -8. After the installation is complete, the publishing server must be registered with the management server. In the App-V management console, use the following steps to register the server: - - 1. Open the App-V management server console. - 2. In the left pane, select **Servers**, then select **Register New Server**. - 3. Enter the server name and a description (if required), then select **Add**. -9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: https://publishingserver:pubport. If the server is running correctly, information like the following example should appear. - - ```xml - - - - - - - - - - - - - - - - ``` - - - - - -## Related articles - -* [Deploying App-V](appv-deploying-appv.md) diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md deleted file mode 100644 index 39075f56f33..00000000000 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11) -description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to install the reporting server on a standalone computer and connect it to the database - ->Applies to: Windows Server 2016 - -Use the following procedure to install the reporting server on a standalone computer and connect it to the database. - ->[!IMPORTANT] ->Before performing the following procedure you should read and understand [About App-V reporting](appv-reporting.md). - -## Install the reporting server on a standalone computer and connect it to the database - -1. Copy the App-V server installation files to the computer you plan to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. -2. On the **Getting started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**. Select **Next**. -4. On the **Feature selection** page, select the **Reporting Server** checkbox, then select **Next**. -5. On the **Installation location** page, accept the default location and select **Next**. -6. On the **Configure existing reporting database** page, select **Use a remote SQL Server**, then enter the machine name of the computer running Microsoft SQL Server. For example, you can name your computer **SqlServerMachine**. - - > [!NOTE] - >If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server instance, select **Use the default instance**. If you're using a custom Microsoft SQL Server instance, select **Use a custom instance**, then enter the name of your custom instance. Specify the **SQL Server Database name** that this reporting server will use; for example, you can name the server **AppvReporting**. -7. On the **Configure reporting server configuration** page. - - * Specify the website name you want to use for the reporting service. Leave the default unchanged if you do not have a custom name. - * For the **Port binding**, specify a unique, five-digit port number for App-V to use, such as **55555**. Make sure that the specified port isn't being used by another website. -8. Select **Install**. - - - - - -## Related articles - -* [About App-V reporting](appv-reporting.md) -* [Deploying App-V](appv-deploying-appv.md) -* [How to enable reporting on the App-V client by using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md) diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md deleted file mode 100644 index 2f756b549e3..00000000000 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Install the App-V Sequencer (Windows 10/11) -description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Install the App-V Sequencer - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications. - -The App-V Sequencer is included in the Windows client Assessment and Deployment Kit (Windows ADK). - ->[!NOTE] ->The computer that will run the sequencer must not have the App-V client enabled. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource-intensive, so make sure the computer that will run the Sequencer has plenty of memory, a fast processor, and a fast hard drive. - -## How to install the App-V Sequencer - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). -2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation. - - ![Selecting APP-V features in ADK.](images/app-v-in-adk.png) -3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**. - -See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer. - -## Command-line options for installing the sequencer - -You can also use the command line to install the App-V sequencer. The following list displays information about options for installing the sequencer using the command line and **appv\_sequencer\_setup.exe**: - -| Command | Description | -|-------------------|------------------| -| **/INSTALLDIR** | Specifies the installation directory. | -| **/Log** | Specifies where the installation log will be saved. The default location is **%Temp%**. For example, **C:\\Logs\\log.log**. | -| **/q** | Specifies a quiet or silent installation. | -| **/Uninstall** | Specifies the removal of the sequencer. | -| **/ACCEPTEULA** | Accepts the license agreement. This is required for an unattended installation. For example, **/ACCEPTEULA** or **/ACCEPTEULA=1**. | -| **/LAYOUT** | Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V. No value is expected. | -| **/LAYOUTDIR** | Specifies the layout directory. Requires a string value. For example, **/LAYOUTDIR=”C:\\Application Virtualization Client”**. | -| **/?** or **/h** or **/help** | Displays associated help. | - -## To troubleshoot the App-V sequencer installation - -For more information regarding the sequencer installation, you can view the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv\_ log**. - - - - - -## Related articles - -* [Planning to deploy App-V](appv-planning-to-deploy-appv.md) diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md deleted file mode 100644 index 9ce856129da..00000000000 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11) -description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -## Requirements for using Windows PowerShell cmdlets - -This section will tell you what you'll need to use the PowerShell cmdlets. - -### How to let users access PowerShell cmdlets - -You can grant your users access to PowerShell cmdlets through one of the following methods: - -* While you're deploying and configuring the App-V server, specify an Active Directory group or individual user with permissions to manage the App-V environment. For more information, see [How to deploy the App-V Server](appv-deploy-the-appv-server.md). -* After you've deployed the App-V server, you can use the App-V Management console to add an additional Active Directory group or user. For more information, see [How to add or remove an administrator by using the Management console](appv-add-or-remove-an-administrator-with-the-management-console.md). - -### Elevated command prompt - -You'll need an elevated command prompt to run the following cmdlets: - -* **Add-AppvClientPackage** -* **Remove-AppvClientPackage** -* **Set-AppvClientConfiguration** -* **Add-AppvClientConnectionGroup** -* **Remove-AppvClientConnectionGroup** -* **Add-AppvPublishingServer** -* **Remove-AppvPublishingServer** -* **Send-AppvClientReport** -* **Set-AppvClientMode** -* **Set-AppvClientPackage** -* **Set-AppvPublishingServer** - -### Other cmdlets - -The following cmdlets are ones that end-users can run unless you configure them to require an elevated command prompt. - -* **Publish-AppvClientPackage** -* **Unpublish-AppvClientPackage** - -To configure these cmdlets to require an elevated command prompt, use one of the following methods: - -* Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter. For more information, see the following resources: - * [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) - * [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending) -* Enable the **Require publish as administrator** Group Policy setting for App-V Clients. For more information, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). - -## Loading the Windows PowerShell cmdlets - -To load the Windows PowerShell cmdlet modules: - -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). -2. Enter one of the following cmdlets to load a list of usable cmdlets for the module you want: - -|App-v component|Cmdlet to enter| -|---|---| -|App-V Server|**Import-Module AppvServer**| -|App-V Sequencer|**Import-Module AppvSequencer**| -|App-V Client|**Import-Module AppvClient**| - -## Getting help for the Windows PowerShell cmdlets - -Starting in App-V 5.0 SP3, cmdlet help is available in two formats: - -* As a downloadable module in PowerShell. To access the module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE) and enter one of the cmdlets from the following table. - -|App-v component|Cmdlet to enter| -|---|---| -|App-V Server|**Update-Help -Module AppvServer**| -|App-V Sequencer|**Update-Help -Module AppvSequencer**| -|App-V Client|**Update-Help -Module AppvClient**| - -* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started). - -## Displaying the help for a Windows PowerShell cmdlet - -To display help for a specific Windows PowerShell cmdlet: - -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). -2. Enter **Get-Help** followed by the cmdlet you need help with. For example: - ```PowerShell - Get-Help Publish-AppvClientPackage - ``` diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md deleted file mode 100644 index 0b04a038f50..00000000000 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Maintaining App-V (Windows 10/11) -description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure. -author: aczechowski -ms.service: windows-client -ms.date: 09/27/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Maintaining App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -After you have deployed App-V for Windows client, you can use the following information to maintain the App-V infrastructure. - -## Moving the App-V server - -The App-V server connects to the App-V database, which means you can install the management component and connect it to the App-V database on any computer on the network. For more information, see [How to move the App-V server to another computer](appv-move-the-appv-server-to-another-computer.md). - -## Determine if an App-V application is running virtualized - -Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace (PID stands for process ID). To find the process ID of the process you're currently using, enter the Windows API **GetCurrentProcessId()**. - -For example, let's say the process ID is 4052. If you can successfully open a named Event object called **AppVVirtual-4052** with the **OpenEvent()** API in the default read access namespace, then the application is virtual. If the **OpenEvent()** call fails, the application isn't virtual. - -Additionally, ISVs who want to explicitly virtualize or not virtualize calls on specific APIs with App-V 5.1 and later can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module to hint to a downstream component whether the call should be virtualized or not. - - - - - -## Other resources for maintaining App-V - -* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md deleted file mode 100644 index 55a855d2ebc..00000000000 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ /dev/null @@ -1,177 +0,0 @@ ---- -title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10/11) -description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. -author: aczechowski -ms.pagetype: mdop, appcompat, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library -ms.service: windows-client -ms.date: 09/24/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- -# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. - -## Return a list of packages - -Enter the **Get-AppvClientPackage** cmdlet to return a list of packages entitled to a specific user. Its parameters are *-Name*, *-Version*, *-PackageID*, and *-VersionID*. - -For example: - -```PowerShell -Get-AppvClientPackage –Name "ContosoApplication" -Version 2 -``` - -## Add a package - -Use the **Add-AppvClientPackage** cmdlet to add a package to a computer. - -> [!IMPORTANT] -> This example only adds a package. It does not publish the package to the user or the computer. - -For example: - -```PowerShell -$Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv -``` - -## Publish a package - -Use the **Publish-AppvClientPackage** cmdlet to publish a package that has been added to either a specific user or globally to any user on the computer. - -Enter the cmdlet with the application name to publish it to the user. - -```PowerShell -Publish-AppvClientPackage "ContosoApplication" -``` - -To publish the application globally, just add the *-Global* parameter. - -```Powershell -Publish-AppvClientPackage "ContosoApplication" -Global -``` - -## Publish a package to a specific user - -> [!NOTE] -> You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). - -To use this parameter: - -- You can run this cmdlet from the user or administrator session. -- You must be logged in with administrative credentials to use the parameter. -- The end user must be signed in. -- You must provide the end user’s security identifier (SID). - -For example: - -```PowerShell -Publish-AppvClientPackage "ContosoApplication" -UserSID S-1-2-34-56789012-3456789012-345678901-2345 -``` - -## Add and publish a package - -Use the **Add-AppvClientPackage** cmdlet to add a package to a computer and publish it to the user. - -For example: - -```PowerShell -Add-AppvClientPackage | Publish-AppvClientPackage -``` - -## Unpublish an existing package - -Use the **Unpublish-AppvClientPackage** cmdlet to unpublish a package which has been entitled to a user but not remove the package from the computer. - -For example: - -```PowerShell -Unpublish-AppvClientPackage "ContosoApplication" -``` - -## Unpublish a package for a specific user - -> [!NOTE] -> You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). - -To use this parameter: - -- You can run this cmdlet from the user or administrator session. -- You must sign in with administrative credentials to use the parameter. -- The end user must be signed in. -- You must provide the end user’s security identifier (SID). - -For example: - -```PowerShell -Unpublish-AppvClientPackage "ContosoApplication" -UserSID S-1-2-34-56789012-3456789012-345678901-2345 -``` - -## Remove an existing package - -Use the **Remove-AppvClientPackage** cmdlet to remove a package from the computer. - -For example: - -```PowerShell -Remove-AppvClientPackage "ContosoApplication" -``` - -> [!NOTE] -> App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](/archive/blogs/appv/app-v-5-0-client-powershell-deep-dive). - -## Enable only administrators to publish or unpublish packages - -Starting in App-V 5.0 SP3, you can use the **Set-AppvClientConfiguration** cmdlet and *-RequirePublishAsAdmin* parameter to enable only administrators (not end users) to publish or unpublish packages. - -You can set the *-RequirePublishAsAdmin* parameter to the following values: - -- 0: False -- 1: True - -For example: - -```PowerShell -Set-AppvClientConfiguration –RequirePublishAsAdmin1 -``` - -To use the App-V Management console to set this configuration, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). - -## About pending packages: UserPending and GlobalPending - -Starting in App-V 5.0 SP2, if you run a Windows PowerShell cmdlet that affects a package currently in use, the task you're trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows: - -|Cmdlet output item|Description| -|---|---| -|UserPending|Indicates whether the listed package has a pending task that is being applied to the user:
    - True
    - False| -|GlobalPending|Indicates whether the listed package has a pending task that is being applied globally to the computer:
    - True
    - False| - -The pending task will run later, according to the following rules: - -|Task type|Applicable rule| -|---|---| -|User-based
    (for example, publishing a package to a user)|The pending task will be performed after the user logs off and then logs back on.| -|Globally based
    (for example, enabling a connection group globally)|The pending task will be performed when the computer is shut down and then restarted.| - -For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package). - - - - - -## Related topics - -- [Operations for App-V](appv-operations.md) -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md deleted file mode 100644 index 181e13b751a..00000000000 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11) -description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group. - -A connection group XML file defines the connection group for the App-V client. For information about the connection group XML file and how to configure it, see [About the Connection Group File](appv-connection-group-file.md). - -This article explains the following procedures: - -- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group) - -- [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client) - -- [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user) - -- [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups) - -## To add and publish the App-V packages in the connection group - -1. To add and publish the App-V packages to the computer running the App-V client, type the following command: - - Add-AppvClientPackage –path c:\\tmpstore\\quartfin.appv | Publish-AppvClientPackage - -2. Repeat **step 1** of this procedure for each package in the connection group. - -## To add and enable the connection group on the App-V client - -1. Add the connection group by typing the following command: - - Add-AppvClientConnectionGroup –path c:\\tmpstore\\financ.xml - -2. Enable the connection group by typing the following command: - - Enable-AppvClientConnectionGroup –name "Financial Applications" - - When any virtual applications that are in the member packages are run on the target computer, they'll run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group. - -## To enable or disable a connection group for a specific user - -1. Review the parameter description and requirements: - - - The parameter enables an administrator to enable or disable a connection group for a specific user. - - - You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - - - You can run this cmdlet from the user or administrator session. - - - You must be logged in with administrative credentials to use the parameter. - - - The end user must be logged in. - - - You must provide the end user’s security identifier (SID). - -2. Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID): - - |Cmdlet|Examples| - |--- |--- | - |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| - |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| - -## To allow only administrators to enable connection groups - -1. Review the description and requirement for using this cmdlet: - - - Use this cmdlet and parameter to configure the App-V client to allow only administrators (not end users) to enable or disable connection groups. - - - You must be using at least App-V 5.0 SP3 to use this cmdlet. - -2. Run the following cmdlet and parameter: - - |Cmdlet|Parameter and values|Example| - |--- |--- |--- | - |Set-AppvClientConfiguration|-RequirePublishAsAdmin
  • 0 - False
  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
    1| - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - - -[Operations for App-V](appv-operations.md) - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md deleted file mode 100644 index 7f676c5b81f..00000000000 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Managing Connection Groups (Windows 10/11) -description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Managing Connection Groups - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer. - -**Note**   -In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition. - -**In this section:** - -|Links|Description| -|--- |--- | -|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.| -|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.| -|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.| -|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.| -|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.| -|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.| -|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.| -[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.| - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Other resources for App-V connection groups - - -- [Operations for App-V](appv-operations.md) - - - - - - - - - diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md deleted file mode 100644 index cb9d2085c06..00000000000 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Migrating to App-V from a Previous Version (Windows 10/11) -description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Migrating to App-V from previous versions - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first. - -## Improvements to the App-V Package Converter - - -You can now use the package converter to convert App-V 4.6 packages that contain scripts, and registry information and scripts from source .osd files are now included in package converter output. - -You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package. - -|New in App-V for Windows client|Prior to App-V for Windows 10| -|--- |--- | -|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
  • environment variables
  • shortcuts
  • file type associations
  • registry information
  • scripts

    You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package weren't included in package converter output.

    The package converter would populate the new package with information from all of the .osd files in the source directory.| - -### Example conversion statement - -To understand the new process, review the following example `ConvertFrom-AppvLegacyPackage` package converter statement. - -**If the source directory (\\\\OldPkgStore\\ContosoApp) includes the following:** - -- ContosoApp.sft - -- ContosoApp.msi - -- ContosoApp.sprj - -- ContosoApp\_manifest.xml - -- X.osd - -- Y.osd - -- Z.osd - -**And you run this command:** - -``` syntax -ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ --DestinationPath \\NewPkgStore\ContosoApp\ --OSDsToIncludeInPackage X.osd,Y.osd -``` - -**The following is created in the destination directory (\\\\NewPkgStore\\ContosoApp):** - -- ContosoApp.appv - -- ContosoApp.msi - -- ContosoApp\_DeploymentConfig.xml - -- ContosoApp\_UserConfig.xml - -- X\_Config.xml - -- Y\_Config.xml - -- Z\_Config.xml - -**In the above example:** - -|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description| -|--- |--- |--- |--- | -|
  • X.osd
  • Y.osd
  • Z.osd|
  • X_Config.xml
  • Y_Config.xml
  • Z_Config.xml|
  • Environment variables:
  • Shortcuts
  • File type associations
  • Registry information
  • Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
    In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.| -|
  • X.osd
  • Y.osd|
  • ContosoApp.appv
  • ContosoApp_DeploymentConfig.xml
  • ContosoApp_UserConfig.xml|
  • Environment variables
  • Shortcuts
  • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter is converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
    In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it wasn't included as one of these arguments.| - -## Converting packages created using a prior version of App-V - - -Use the package converter utility to upgrade virtual application packages created using versions of App-V prior to App-V 5.0. The package converter uses Windows PowerShell to convert packages and can help automate the process if you have many packages that require conversion. App-V packages created with App-V 5.x don't need to be converted. - - -**Important**   -After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful. - - - -**What to know before you convert existing packages** - -|Issue|Workaround| -|--- |--- | -|Virtual packages using DSC aren't linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).| -|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.| -|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it's recommended to re-sequence the package.| - -When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path. - -**Note**   -It's recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). - -If a converted package doesn't open after you convert it, it's also recommended that you resequence the application using the App-V sequencer. - -[How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md) - -## Migrating the App-V Server Full Infrastructure - - -There's no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server. - -|Task|More Information| -|--- |--- | -|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)| -|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)| -|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)| -|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this article.| - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Other resources for performing App-V migration tasks - -- [Operations for App-V](appv-operations.md) - -- [A simplified Microsoft App-V 5.1 Management Server upgrade procedure](/archive/blogs/appv/a-simplified-microsoft-app-v-5-1-management-server-upgrade-procedure) diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md deleted file mode 100644 index d9b051f74f2..00000000000 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -title: How to Modify an Existing Virtual Application Package (Windows 10/11) -description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to Modify an Existing Virtual Application Package - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This article explains how to: - -- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package) - -- [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package) - -- [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package) - -**Before you update a package:** - -- Ensure that you’ve installed the Microsoft Application Virtualization (App-V) Sequencer, which is required for modifying a virtual application package. To install the App-V Sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md). - -- Save the .appv file in a secure location and always trust the source before trying to open the package for editing. - -- The Managing Authority section is erroneously removed from the deployment configuration file when you update a package. Before starting the update, copy the Managing Authority section from the existing deployment configuration file, and then paste the copied section into the new configuration file after the conversion is complete. - -- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured. - -## Update an application in an existing virtual application package - -1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. - -2. In the App-V Sequencer, click **Modify an Existing Virtual Application Package** > **Next**. - -3. On the **Select Task** page, click **Update Application in Existing Package** > **Next**. - -4. On the **Select Package** page, click **Browse** to locate the virtual application package that contains the application to update, and then click **Next**. - -5. On the **Prepare Computer** page, review the issues that could cause the application update to fail or cause the updated application to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**. - - **Important**   - If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package. - -6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update doesn't have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. - -7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you're finished with the installation, select **I am finished installing**. Click **Next**. - - >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard. - -8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**. - -9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**. - - >**Note**  You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**. - -10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it's saved. Click **Next**. - - To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**. - -11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer. - - -## Modify the properties associated with an existing virtual application package - -1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. - -2. In the App-V Sequencer, click **Modify an Existing Virtual Application Package** > **Next**. - -3. On the **Select Task** page, click **Edit Package** > **Next**. - -4. On the **Select Package** page, click **Browse** to locate the virtual application package that contains the application properties to modify, and then click **Edit**. - -5. In the App-V Sequencer console, perform any of the following tasks as needed: - - - Import and export the manifest file. - - - Enable or disable Browser Helper Objects. - - - Import or export a VFS file. - - - Import a directory into the virtual file system. - - - Import and export virtual registry keys. - - - View package properties. - - - View associated package files. - - - Edit registry settings. - - - Review the extra package settings (except operating system file properties). - - - Set virtualized registry key state (override or merge). - - - Set virtualized folder state. - - - Add or edit shortcuts and file type associations. - - >**Note**  To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page. - -6. When you finish changing the package properties, click **File** > **Save** to save the package. - -## Add a new application to an existing virtual application package - -1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. - -2. In the App-V Sequencer, click **Modify an Existing Virtual Application Package** > **Next**. - -3. On the **Select Task** page, click **Add New Application** > **Next**. - -4. On the **Select Package** page, click **Browse** to locate the virtual application package to which you'll add the application, and then click **Next**. - -5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**. - - >**Important**  If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package. - -6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application doesn't have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. - -7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If more installation files must be run as part of the installation, click **Run**, and locate and run those installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this directory is a new location so that you don’t overwrite the existing version of the virtual application package. - - >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard. - -8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**. - -9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page. - -10. If you're finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**. - - If you're customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers. - -11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. - - >**Note**  You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**. - -12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**. - - To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**. - -13. On the **Completion** page, click **Close**. The package is now available in the sequencer. - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md deleted file mode 100644 index 84f2710b451..00000000000 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11) -description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to Modify Client Configuration by Using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to configure the App-V client configuration. - -1. To configure the client settings using Windows PowerShell, use the **Set-AppVClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md). - -2. To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppVClientConfiguration** with any required parameters. For example: - - `$config = Get-AppVClientConfiguration` - - `Set-AppVClientConfiguration $config` - - `Set-AppVClientConfiguration –Name1 MyConfig –Name2 "xyz"` - - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md deleted file mode 100644 index 2b4ee820e3e..00000000000 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: How to Move the App-V Server to Another Computer (Windows 10/11) -description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to move the App-V server to another computer - -**Applies to** -- Windows Server 2016 - -Use the following information to create a new management server console in your environment. - -## To create a new management server console - - -Follow these steps to create a new management server console: - -1. Install the management server on a computer in your environment. For more information about installing the management server, see [Deploying the App-V server](appv-deploying-the-appv-server.md). - -2. After you've completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md). - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md deleted file mode 100644 index 8af6d33a4dc..00000000000 --- a/windows/application-management/app-v/appv-operations.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Operations for App-V (Windows 10/11) -description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. -author: aczechowski -ms.service: windows-client -ms.date: 04/18/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Operations for App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks. - -## Operations Information - -- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) - - Describes how to create, modify, and convert virtualized packages. -- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) - - Describes how to use the App-V Management console to perform tasks such as sequencing an application, changing a package, using a project template, and using a package accelerator. -- [Managing Connection Groups](appv-managing-connection-groups.md) - - Describes how connection groups enable virtualized applications to communicate with each other in the virtual environment; explains how to create, publish, and delete them; and describes how connection groups can help you better manage your virtualized applications. -- [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - - Describes how to deploy App-V packages by using an ESD. -- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) - - Describes how to perform client configuration tasks using the client management console. -- [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) - - Provides instructions for migrating to App-V from a previous version. -- [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) - - Describes the set of Windows PowerShell cmdlets available for administrators performing various App-V server tasks. - -## Additional information - -- [Application Virtualization (App-V) overview](appv-for-windows.md) -- [Getting Started with App-V](appv-getting-started.md) -- [Planning for App-V](appv-planning-for-appv.md) -- [Deploying App-V](appv-deploying-appv.md) -- [Troubleshooting App-V](appv-troubleshooting.md) -- [Technical Reference for App-V](appv-technical-reference.md) - - - diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md deleted file mode 100644 index aca51695137..00000000000 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ /dev/null @@ -1,496 +0,0 @@ ---- -title: Performance Guidance for Application Virtualization -description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Performance Guidance for Application Virtualization - -**Applies to**: - -- Windows 7 SP1 -- Windows 10 -- Windows 11 -- Server 2012 R2 -- Server 2016 - -Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. - -Implementing multiple methods can help you improve the end-user experience. However, your environment may not support all methods. - -You should read and understand the following information before reading this document. - -- [Application Virtualization (App-V) overview](appv-for-windows.md) - -- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) - -- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760) - -> [!Note] -> Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk `*`, review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document. - -Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI). - -To help determine what information is relevant to your environment, you should review each section's brief overview and applicability checklist. - -## App-V in stateful\* non-persistent deployments - -This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn't have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience. - -Use the information in the following section for more information: - -[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these scenarios are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages. - -- Optimized for Performance – To provide the optimal experience, you can expect the base image to include some of the App-V virtual application package. This and other requirements are discussed. - -- Optimized for Storage – If you're concerned with the storage impact, following this scenario will help address those concerns. - -[Preparing your Environment](#bkmk-pe) - -- Steps to Prepare the Base Image – Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach. - -- Use UE-V as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution. - -[User Experience Walk-through](#bkmk-uewt) - -- Walk-through – It's a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have. - -- Outcome – It describes the expected results. - -[Impact to Package Lifecycle](#bkmk-plc) - -[Enhancing the VDI Experience through Performance Optimization/Tuning](#bkmk-evdi) - -### Applicability Checklist - -|Checklist|Deployment Environment| -|--- |--- | -|![Checklist box](images/checklistbox.gif)|Non-Persistent VDI or RDSH.| -|![Checklist box](images/checklistbox.gif)|User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).| - -|Checklist|Expected Configuration| -|--- |--- | -|![Checklist box](images/checklistbox.gif)|User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.| -|![Checklist box](images/checklistbox.gif)|App-V Shared Content Store (SCS) is configured or can be configured.| - - -|Checklist|IT Administration| -|--- |--- | -|![Checklist box](images/checklistbox.gif)|Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.| - -### Usage Scenarios - -As you review the two scenarios, keep in mind that these scenarios represent the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both. - -- **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead. - - The following section describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article). - -- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Don't pre-configure user-targeted virtual application packages in the base image. - - The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article). - -### Preparing your Environment - -The following information displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach. - -#### Prepare the Base Image - -- **Performance**: - - - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md). - - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps. - - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md). - - Configure Preserve User Integrations on Login Registry DWORD. - - Pre-configure all user and global-targeted packages, for example, **Add-AppvClientPackage**. - - Pre-configure all user- and global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**. - - Pre-publish all global-targeted packages. Or: - - Perform a global publishing/refresh. - - Perform a user publishing/refresh. - - Unpublish all user-targeted packages. - - Delete the following user-Virtual File System (VFS) entries: - - - `AppData\Local\Microsoft\AppV\Client\VFS` - - `AppData\Roaming\Microsoft\AppV\Client\VFS` - -- **Storage**: - - - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md). - - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps. - - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md). - - Configure Preserve User Integrations on Login Registry DWORD. - - Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**. - - Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**. - - Pre-publish all global-targeted packages. - -#### Configurations - -For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings: - -- **Shared Content Store (SCS) Mode**: When running the shared content store, only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). Such a result helps to conserve local storage and minimize disk I/O per second (IOPS). - - This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN. - - - Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1` - - Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md). - -- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting isn't configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*. - - For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh. - - If you don't plan to pre-configure every available user package in the base image, use this setting. - - - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`. - - Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1. - - Restart the App-V client service or restart the computer running the App-V Client. - -- **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit. - - Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync. - - If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they sign in could take an indeterminate amount of time. - - - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`. - - Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes. - - The App-V client service and computer don't need to be restarted. - -### Configure UE-V solution for App-V Approach - -We recommend using User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. UE-V is optimized for RDS and VDI scenarios. - -For more information, see: - -- [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows) - -- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started) - -> [!Note] -> Without performing an additional configuration step, User Environment Virtualization (UE-V) won't be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. - -UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user's device will have the same set of applications installed to the same location and every .lnk file is valid for all the users' devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices. - -- If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled. - -- If a user has an application installed on one device but not another with .lnk files enabled. - -> [!Important] -> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk. - -Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types. - -## Configure other User Profile Management (UPM) solutions for App-V Approach - -The expectation in a stateful environment is that a UPM solution is implemented and can support persistence of user data across sessions and between logins. - -The requirements for the UPM solution are as follows. - -To enable an optimized sign-in experience, for example the App-V approach for the user, the solution must be capable of: - -- Persisting the below user integrations as part of the user profile/persona. - -- Triggering a user profile sync on sign in (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or, - -- Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations. - - > [!Note] - > - > App-V is supported when using UPD only when the entire profile is stored on the user profile disk. - > - > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders. - -- Capturing changes to the locations, which constitute the user integrations, prior to session sign out. - -With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during a sign in and/or after a specified refresh interval. In both cases, a scheduled task is created. - -In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2, the user refresh on a sign in was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete. - -### User Integrations - -Registry – HKEY\_CURRENT\_USER - -- Path - Software\\Classes - - Exclude: Local Settings, ActivatableClasses, AppX\* - -- Path - Software\\Microsoft\\AppV - -- Path- Software\\Microsoft\\Windows\\CurrentVersion\\App Paths - -### File Locations - -- Root – “Environment Variable” APPDATA - - Path – Microsoft\\AppV\\Client\\Catalog - -- Root – “Environment Variable” APPDATA - - Path – Microsoft\\AppV\\Client\\Integration - -- Root – “Environment Variable” APPDATA - - Path - Microsoft\\Windows\\Start Menu\\Programs - -- (To persist all desktop shortcuts, virtual and non-virtual) - - Root - “KnownFolder” {B4BFCC3A-DB2C-424C-B029-7FE99A87C641}FileMask - \*.lnk - -### User Experience Walk-through - -This following process is a step-by-step walk-through of the App-V and UPM operations, and the users' expectations. - -- **Performance**: After implementing this approach in the VDI/RDSH environment, on first login, - - (Operation) A user-publishing/refresh is initiated. - - (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this operation will take the usual duration of a publishing/refresh. - -- (Operation) After the publishing/refresh, the UPM solution captures the user integrations. - - (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-out process. This result will incur the same/similar overhead as persisting the user state. - - **On subsequent logins**: - - - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh. - - (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (that is, package entitlements change), some may go away. - - - (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements. - - (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications - - The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. - - - (Operation) UPM solution will capture user integrations again at sign off. - - (Expectation) Same as previous. - - **Outcome**: - - - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of sign in. - - The publishing/refresh will process changes to the users-entitled virtual applications, which impacts the experience. - -- **Storage**: After implementing this approach in the VDI/RDSH environment, on first login - - - (Operation) A user-publishing/refresh is initiated. - - (Expectation): - - - If this instance is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. - - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh). - - - (Operation) After the publishing/refresh, the UPM solution captures the user integrations. - - (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state. - - **On subsequent logins**: - - - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh. - - (Operation) Add/refresh must pre-configure all user targeted applications. - - - (Expectation): - - This may increase the time to application availability significantly (on the order of 10s of seconds). - - This will increase the publishing refresh time relative to the number and complexity* of virtual applications. - - - (Operation) Publishing/refresh will process unpublish and publish operations for changes to user package entitlements. - - **Outcome**: Because the add/refresh must reconfigure all the virtual applications to the VM, the publishing refresh time on every login will be extended. - -### Impact to Package Life Cycle - -Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section: - -App-V 5.0 SP2 introduced the concept of pending states. In the past, - -- If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the unpublish or publish operation, respectively, would fail. - -- Now, if a package is in use, the operation will be pended. The unpublish and publish-pend operations will be processed on service restart or if another publish or unpublish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed. - -In a non-persistent environment, it's unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it isn't applied to the environment prior to a sign in, it will not be processed. - -### Enhancing the VDI Experience through Performance Optimization Tuning - -The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance. - -#### Windows Server - -Server performance tuning guidelines for [Microsoft Windows Server 2012 R2](/previous-versions/dn529133(v=vs.85)) - -#### Server roles - -- [Remote Desktop Virtualization Host](/previous-versions/dn567643(v=vs.85)) - -- [Remote Desktop Session Host](/previous-versions/dn567648(v=vs.85)) - -- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions/dn567678(v=vs.85)) - -- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134210(v=ws.11)) - -#### Windows Client (guest OS) performance tuning guidance - -- [The Microsoft Premier Field Engineer (PFE) view on Virtual Desktop (VDI) Density](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density) - -- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe) - -## Sequencing Steps to Optimize Packages for Publishing Performance - -Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations. - -|Step|Consideration|Benefits|Tradeoffs| -|--- |--- |--- |--- | -|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
  • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
  • Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be resequenced.| - -### Removing FB1 - -Removing FB1 doesn't require the original application installer. After completing the following steps, it's suggested that you revert the computer running the sequencer to a clean snapshot. - -**Sequencer UI** - Create a New Virtual Application Package. - -1. Complete the sequencing steps up to Customize -> Streaming. - -2. At the Streaming step, don't select **Optimize the package for deployment over slow or unreliable network**. - -3. If desired, move on to **Target OS**. - -**Modify an Existing Virtual Application Package** - -1. Complete the sequencing steps up to Streaming. - -2. Don't select **Optimize the package for deployment over a slow or unreliable network**. - -3. Move to **Create Package**. - -**Windows PowerShell** - Update an Existing Virtual Application Package. - -1. Open an elevated Windows PowerShell session. - -2. Import-module **appvsequencer**. - -3. **Update-AppvSequencerPackage** - **AppvPackageFilePath** - - "C:\\Packages\\MyPackage.appv" -Installer - - "C:\\PackageInstall\\PackageUpgrade.exe empty.exe" -OutputPath - - "C:\\UpgradedPackages" - - > [!Note] - > This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file. - -|Step|Considerations|Benefits|Tradeoffs| -|--- |--- |--- |--- | -|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages don't need to be resequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies won't install at publishing time.|SxS Assembly dependencies must be pre-installed.| - - -### Creating a new virtual application package on the sequencer - -If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application's installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly. - -**Client Side**: - -When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it's included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation won't occur. - -|Step|Considerations|Benefits|Tradeoffs| -|--- |--- |--- |--- | -|Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files.

    Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.

    Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.| - - -### Disabling a Dynamic Configuration by using Windows PowerShell - -- For already published packages, you can use `Set-AppVClientPackage –Name Myapp –Path c:\Packages\Apps\MyApp.appv` without - - **-DynamicDeploymentConfiguration** parameter - -- Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, don't use the - - **-DynamicDeploymentConfiguration** parameter. - -For documentation on How to Apply a Dynamic Configuration, see: - -- [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) - -- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) - -|Step|Considerations|Benefits|Tradeoffs| -|--- |--- |--- |--- | -|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be slower.
    Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.| -|Remove Extraneous Virtual Fonts from Package.|Most applications investigated by the App-V product team contained a few fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.| - -### Determining what virtual fonts exist in the package - -- Make a copy of the package. - -- Rename Package\_copy.appv to Package\_copy.zip - -- Open AppxManifest.xml and locate the following syntax: - - ```xml - - - - - ``` - - > [!Note] - > If there are fonts marked as **DelayLoad**, those won't impact first launch. - -### Excluding virtual fonts from the package - -Use the dynamic configuration file that best suits the user scope – deployment configuration for all users on computer, user configuration for specific user or users. - -- Disable fonts with the deployment or user configuration. - -Fonts - -```xml ---> - - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -Help us to improve diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md deleted file mode 100644 index 2e05013ad94..00000000000 --- a/windows/application-management/app-v/appv-reporting.md +++ /dev/null @@ -1,218 +0,0 @@ ---- -title: About App-V Reporting (Windows 10/11) -description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. -author: aczechowski -ms.service: windows-client -ms.date: 04/16/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# About App-V reporting - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Application Virtualization (App-V) includes a built-in reporting feature that collects information about computers running the App-V client and virtual application package usage. You can generate reports from a centralized database with this information. - -## App-V reporting overview - -The following list displays the end–to-end high-level workflow for reporting in App-V. - -1. The App-V Reporting server requires the following things: - - * Internet Information Service (IIS) web server role - * Windows Authentication role (under **IIS / Security**) - * SQL Server installed and running with SQL Server Reporting Services (SSRS) - - To confirm SQL Server Reporting Services is running, enter `https://localhost/Reports` in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear. -2. Install the App-V reporting server and associated database. For more information about installing the reporting server, see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server. -3. If you aren't using an electronic software distribution system such as Configuration Manager to view reports, then you can define reports in SQL Server Reporting Service. - - > [!NOTE] - >If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V. -4. After importing the App-V Windows PowerShell module using **Import-Module AppvClient** as administrator, enable App-V client reporting. This sample Windows PowerShell command enables App-V reporting: - - ```PowerShell - Set-AppvClientConfiguration -ReportingServerURL : -ReportingEnabled 1 -ReportingStartTime <0-23> -ReportingRandomDelay <#min> - ``` - - To immediately send App-V report data, run **Send-AppvClientReport** on the App-V client. - - For more information about configuring reporting on the App-V client, see [About client configuration settings](appv-client-configuration-settings.md). To administer App-V Reporting with Windows PowerShell, see [How to enable reporting on the App-V client by using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md). -5. After the reporting server receives the data from the App-V client, it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client. -6. When the App-V client receives the success notification, it empties the data cache to conserve space. - - > [!NOTE] - >By default, the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. - - If the App-V client device doesn't receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache. - -### App-V reporting server frequently asked questions - -The following sections provide answers to frequently asked questions about how App-V reporting works. - -#### How frequently is reporting information sent to the reporting database? - -Frequency depends on the computer running the App-V client's reporting configuration. You must configure the frequency or interval for sending the reporting data manually, as App-V reporting isn't enabled by default. - -#### What information is stored in the reporting server database? - -The following information is stored in the reporting database: - -* The operating system running on the computer running the App-V client: host name, version, service pack, type - client/server, processor architecture. -* App-V client information: version. -* Published package list: GUID, version GUID, name. -* Application usage information: name, version, streaming server, user (domain\alias), package version GUID, launch status and time, shutdown time. - -#### What is the average volume of information that is sent to the reporting server? - -It depends. Three sets of data can be sent to the reporting server: - -* Operating system and App-V client information, which is about 150 Bytes every time it gets sent to the server. -* Published package lists, which are about 7 KB per 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there's no change, this information isn't sent. -* Virtual application usage information is about 0.25 KB per event. Opening and closing count as one event if both occur before sending the information. When the information is sent through a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the Windows PowerShell cmdlet, there's an optional argument called **DeleteOnSuccess** that controls if the data needs to be resent the next time around. - -For example, if 20 applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15 KB + 20 × 0.25 KB, or about 5 KB/user. - -#### Can I schedule reporting? - -Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send-AppvClientReport**), the task can be scheduled so it will happen automatically. There are two ways to schedule the reporting: - -* Using a Windows PowerShell cmdlet: **Set-AppvClientConfiguration**. For example: - - ```PowerShell - Set-AppvClientConfiguration -ReportingEnabled 1 -ReportingServerURL http://any.com/appv-reporting - ``` - - For a complete list of client configuration settings, go to [About client configuration settings](appv-client-configuration-settings.md) and look for the following entries: **ReportingEnabled**, **ReportingServerURL**, **ReportingDataCacheLimit**, **ReportingDataBlockSize**, **ReportingStartTime**, **ReportingRandomDelay**, **ReportingInterval**. -* Using Group Policy. If distributed using the domain controller, the settings are the same as previously listed. - - > [!NOTE] - >Group Policy settings override local settings configured using Windows PowerShell. - -## App-V Client reporting - -To use App-V reporting, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting. - -### Configuring App-V client reporting using Windows PowerShell - -The following examples show how Windows PowerShell parameters can configure the reporting features of the App-V client. - ->[!NOTE] ->The following configuration tasks can also be configured using Group Policy settings in the App-V ADMX template. The App-V settings are under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. - -#### Enabling reporting and initiating data collection on the computer running the App-V client - -Use the following command to enable reporting and initiate date collection on the computer running the App-V client: - -```PowerShell -Set-AppVClientConfiguration –ReportingEnabled 1 -``` - -#### Configuring the client to automatically send data to a specific reporting server - -To configure the client to automatically send data to a specific reporting server, use a command with the following format: - -```PowerShell -Set-AppVClientConfiguration -ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -``` - -This example command configures the client to automatically send the reporting data to the reporting server URL ```http://MyReportingServer:MyPort/```. The reporting data will be sent to the URL daily between 8:00 PM and 8:30 PM, depending on the session's generated random delay. - -#### Limiting the size of the client's data cache - -To limit the client's data cache size, use a command with the following format: - -```PowerShell -Set-AppvClientConfiguration –ReportingDataCacheLimit 100 -``` - -This example command configures the maximum size of the App-V client computer's reporting cache to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary. - -#### Configuring the data block size transmitted across the network between the client and the server - -To configure the data block size, use a command with the following format: - -```PowerShell -Set-AppvClientConfiguration –ReportingDataBlockSize 10240 -``` - -This example command specifies the maximum size of the data block as 10,240 MB. - -### Types of data collected - -The following table displays the types of information you can collect by using App-V reporting. - -|Client information|Package information|Application usage| -|---|---|---| -|Host name|Package name|Start and end times| -|App-V client version|Package version|Run status| -|Processor architecture|Package source|Shutdown state| -|Operating system version|Percent cached|Application name| -|Service Pack level||Application version| -|Operating system type||Username| -|||Connection group| - -The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file. - -### Sending data to the server - -You can configure the computer that is running the App-V client to automatically send data to the specified reporting server. To specify the server, use the **Set-AppvClientConfiguration** cmdlet with the following settings: - -* ReportingEnabled -* ReportingServerURL -* ReportingStartTime -* ReportingInterval -* ReportingRandomDelay - -After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following Windows PowerShell cmdlet: - -```PowerShell -Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess -``` - -If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection. - -The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache will be cleared. If the transfer-status isn't specified, then the cache won't be cleared. - -### Manual Data Collection - -You can also use the **Send-AppVClientReport** cmdlet to manually collect data. This solution is helpful with or without an existing reporting server. The following list displays information about collecting data with or without a reporting server. - -|With a reporting server|Without a reporting server| -|---|---| -|f you have an existing App-V reporting server, create a customized scheduled task or script. Specify that the client sends the data to the specified location at the desired frequency.|If you don't have an existing App-V reporting Server, use the **–URL** parameter to send the data to a specified share. For example: ```Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess```
    The previous example will send the reporting data to the ```\\MyShare\MyData\``` location indicated by the **-URL** parameter. After the data has been sent, the cache is cleared.| - ->[!NOTE] ->If a location other than the Reporting Server is specified, the data is sent in **.xml** format with no additional processing. - -### Creating reports - -To retrieve report information and create reports using App-V, you must use one of the following methods: - -* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS isn't installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article. - -* Scripting—You can generate reports by scripting directly against the App-V reporting database. For example: - - **Stored Procedure:** - - **spProcessClientReport** is scheduled to run at midnight or 12:00 AM. - - To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio). - - The stored procedure is also created when you use the App-V database scripts. - -You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server can manage without affecting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. - - - - - -## Related articles - -* [Deploying the App-V server](appv-deploying-the-appv-server.md) -* [How to install the reporting server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md) diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md deleted file mode 100644 index 4e4f47b94fc..00000000000 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) -description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications -author: aczechowski -ms.service: windows-client -ms.date: 03/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications - -**Applies to** -- Windows 7 SP1 -- Windows 10 -- Windows 11 -- Windows Server 2012 R2 -- Windows Server 2016 - -You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this task if you: - -- Want to install and run an application locally on client computers, but want to virtualize and run specific plug-ins that work with that local application. - -- Are troubleshooting an App-V client package and want to open a local application within the App-V virtual environment. - -Use any of the following methods to open a local application inside the App-V virtual environment: - -- [RunVirtual registry key](#bkmk-runvirtual-regkey) - -- [Get-AppvClientPackage Windows PowerShell cmdlet](#bkmk-get-appvclientpackage-posh) - -- [Command line switch /appvpid:<PID>](#bkmk-cl-switch-appvpid) - -- [Command line hook switch /appvve:<GUID>](#bkmk-cl-hook-switch-appvve) - -Each method accomplishes essentially the same task, but some methods may be better suited for some applications than others, depending on whether the virtualized application is already running. - -## RunVirtual registry key - - -To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. - -There's no Group Policy setting available to manage this registry key. So, you have to use Microsoft Intune or Configuration Manager, another electronic software distribution (ESD) system, or manually edit the registry. - -Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. - - -### Steps to create the subkey - -1. Using the information in the following table, create a new registry key using the name of the executable file, for example, **MyApp.exe**. - - - **Published globally**: Create the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual` registry key. - - For example, create `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`. - - - **Published to the user**: Create the `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual` registry key. - - For example, create `HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`. - - - Connection group can be: - - Packages that are published globally or just to the user - - Packages that are published globally and to the user - - Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following conditions must be fulfilled: - - - If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group. - - Create only one subkey for one of the packages in the connection group. For example, you have one package that is published globally and another package that is published to the user. You create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment. - - The key under which you create the subkey must match the publishing method you used for the package. - - For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Don't add a key for the same application under both hives. - -2. Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore. - - **Syntax**: `_` - - **Example**: 4c909996-afc9-4352-b606-0b74542a09c1\_be463724-Oct1-48f1-8604-c4bd7ca92fa - - The application in the previous example would produce a registry export file (.reg file) like the following example: - - ```registry - Windows Registry Editor Version 5.00 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual] - @="" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe] - @="aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-555555555 - ``` - -## Get-AppvClientPackage Windows PowerShell cmdlet - - -You can use the **Start-AppVVirtualProcess** cmdlet to retrieve the package name and then start a process within the specified package's virtual environment. This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running. - -Use the following example syntax, and substitute the name of your package for ``: - -`$AppVName = Get-AppvClientPackage ` - -`Start-AppvVirtualProcess -AppvClientObject $AppVName cmd.exe` - -If you don’t know the exact name of your package, you can use the command line `Get-AppvClientPackage YourExecutable`, where `YourExecutable` is the name of the application. For example, enter `Get-AppvClientPackage Word`. - -## Command line switch `/appvpid:` - - -You can apply the `/appvpid:` switch to any command, which enables that command to run within a virtual process that you select by specifying its process ID (PID). Using this method launches the new executable in the same App-V environment as an executable that is already running. - -Example: `cmd.exe /appvpid:8108` - -To find the process ID (PID) of your App-V process, run the command **tasklist.exe** from an elevated command prompt. - -## Command line hook switch `/appvve:` - - -This switch lets you run a local command within the virtual environment of an App-V package. Unlike the **/appvid** switch, where the virtual environment must already be running, this switch enables you to start the virtual environment. - -Syntax: `cmd.exe /appvve:` - -Example: `cmd.exe /appvve:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-55555555` - -To get the package GUID and version GUID of your application, run the **Get-AppvClientPackage** cmdlet. Concatenate the **/appvve** switch with the following: - -- A colon - -- Package GUID of the desired package - -- An underscore - -- Version ID of the desired package - -If you don’t know the exact name of your package, use the command line `Get-AppvClientPackage YourExecutable`, where `YourExecutable` is the name of the application. For example, enter `Get-AppvClientPackage Word`. - -This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running. - -## Related articles - - -[Technical Reference for App-V](appv-technical-reference.md) diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md deleted file mode 100644 index 77bc48c66fe..00000000000 --- a/windows/application-management/app-v/appv-security-considerations.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: App-V Security Considerations (Windows 10/11) -description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). -author: aczechowski -ms.service: windows-client -ms.date: 04/16/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# App-V security considerations - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This article contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). - ->[!IMPORTANT] ->App-V isn't a security product and doesn't provide any guarantees for a secure environment. - -## The PackageStoreAccessControl (PSAC) feature has been deprecated - -Effective as of June 2014, the PackageStoreAccessControl (PSAC) feature introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments. - -## General security considerations - -**Understand the security risks.** The most serious risk to App-V is from unauthorized users hijacking an App-V client's functionality, giving the hacker the ability to reconfigure key data on App-V clients. By comparison, short-term loss of App-V functionality from a denial-of-service attack wouldn't be as catastrophic. - -**Physically secure your computers**. A security strategy that doesn't consider physical security is incomplete. Anyone with physical access to an App-V server could potentially attack the entire client base, so potential physical attacks or thefts should be prevented at all cost. App-V servers should be stored in a physically secure server room with controlled access. Lock the computer with the operating system or a secured screen saver to keep computers secure when the administrators are away. - -**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, see the [Microsoft Security TechCenter](https://technet.microsoft.com/security/bb291012). (THIS LINK NEEDS TO BE UPDATED) - -**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](/sql/relational-databases/security/password-policy) and [Strong Passwords](/sql/relational-databases/security/strong-passwords). (THIS LINK NEEDS TO BE UPDATED) - -## Accounts and groups in App-V - -A best practice for user account management is to create domain global groups and add user accounts to them. After that, add the domain global accounts to the necessary App-V local groups on the App-V servers. - ->[!NOTE] ->App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s **Users** local group. By default, all computers in the domain are part of the **Authorized Users** group, which is part of the **Users** local group. - -### App-V server security - -No groups are created automatically during App-V setup. You should create the following Active Directory Domain Services global groups to manage App-V server operations. - -|Group name|Details|Important notes| -|---|---|---| -|App-V Management Admin group|Used to manage the App-V management server. This group is created during the App-V Management Server installation.|The management console can't create a new group after installation is complete.| -|Database read/write for Management Service account|Provides read/write access to the management database. This account should be created during App-V management database installation.|| -|App-V Management Service install admin account|Provides public access to schema-version table in management database. This account should be created during App-V management database installation.|This account is only required if the management database is being installed separately from the service.| -|App-V Reporting Service install admin account|Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.|This account is only required if reporting database is being installed separately from the service.| - -Consider the following additional information: - -* Access to the package shares: If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share. - > [!NOTE] - >In previous versions of App-V, package share was referred to as content share. -* Registering publishing servers with Management Server: A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API. - -### App-V package security - -The following information will help you plan how to ensure that virtualized packages are secure. - -* If an application installer applies an access control list (ACL) to a file or directory, then that ACL isn't persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory doesn't exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**. - -## App-V log files - -During App-V setup, setup log files are created in the **%temp%** folder of the installing user. - -## Related articles - -[Preparing Your Environment for App-V](appv-preparing-your-environment.md) diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md deleted file mode 100644 index 1af6a22f42e..00000000000 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ /dev/null @@ -1,218 +0,0 @@ ---- -title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) -description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. -author: aczechowski -ms.service: windows-client -ms.date: 04/16/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Starting with Windows 10 version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). - -## Before you start sequencing - -1. Determine the type of virtualized application package you want to create: - - | Application type | Description | - |---|---| - | Standard | Creates a package that contains an application or a suite of applications. This is the preferred option for most application types. | - | Add-on or plug-in | Creates a package that extends the functionality of a standard application, for example, a plug-in for Microsoft Excel. Additionally, you can use plug-ins for natively installed applications, or for another package that is linked by using connection groups. | - | Middleware | Creates a package that is required by a standard application, for example, Java. Middleware packages are used for linking to other packages through connection groups. | - -2. Copy all required installation files to the computer that is running the sequencer. - -3. Make a backup image of your virtual environment before sequencing an application, and then revert to that image each time after you finish sequencing an application. - -4. Review the following items: - - - If an application installer changes the security access to a new or existing file or directory, those changes are not captured in the package. - - If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume. - - > [!NOTE] - > The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where *x* is any numeral. Error 0x8007139F will be generated. - -## Sequence a new standard application - -1. On the computer that runs the sequencer, select **All Programs**, and then select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. - -2. In the sequencer, select **Create a New Virtual Application Package**. Select **Create Package (default)**, and then select **Next**. - -3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, select **Refresh** to display the updated information. After you have resolved all potential issues, select **Next**. - - >[!IMPORTANT] - >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. - -4. On the **Type of Application** page, select the **Standard Application (default)** check box, and then select **Next**. - -5. On the **Select Installer** page, select **Browse** and specify the installation file for the application. - - > [!NOTE] - > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. - - If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then select **Next**. - -6. On the **Package Name** page, specify a name for the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console. Once you're done, select **Next**. - -7. On the **Installation** page, when the sequencer and application installer are ready, you can install the application so that the sequencer can monitor the installation process. - - >[!IMPORTANT] - >You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring. - - Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, select **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, then select **Next**. - -8. On the **Installation** page, wait while the sequencer configures the virtualized application package. - -9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then select **Run All**. To run specific programs, select the program or programs, and then select **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run. - - > [!NOTE] - >To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step. - - Select **Next**. - -10. On the **Installation Report** page, you can review information about the virtualized application package you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, select **Next**. - -11. The **Customize** page is displayed. If you've finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**. - - - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. - - Specify the operating systems that can run this package. - - Once you're ready, select **Next**. - -12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then select **Next**. - - > [!NOTE] - > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened. After that, depending on how the background loading is configured, it will load the rest of the application. - -13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. After that, select **Next**. - - > [!IMPORTANT] - > Make sure that the operating systems you specify here are supported by the application you are sequencing. - -14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before saving it. Select **Next**. - - To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package. - - > [!IMPORTANT] - > The system does not support non-printable characters in **Comments** and **Descriptions**. - - The default **Save Location** is also displayed on this page. To change the default location, select **Browse** and specify the new location. After that, select **Create**. - -15. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then select **Close**. This information is also available in the **Report.xml** file located in the directory where the package was created. - - Your package should now be available in the sequencer. - - > [!IMPORTANT] - > After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. - -## Sequence an add-on or plug-in application - -> [!NOTE] -> Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer. -> -> For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that's running the sequencer. You should also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package. - -1. On the computer that runs the sequencer, first, select **All Programs**, then select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. - -2. In the sequencer, select **Create a New Virtual Application Package**, select **Create Package (default)**, and then select **Next**. - -3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, select **Refresh** to display the updated information. After you have resolved all potential issues, select **Next**. - - >[!IMPORTANT] - >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. - -4. On the **Type of Application** page, select **Add-on or Plug-in**, and then select **Next**. - -5. On the **Select Installer** page, select **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, then select **Next**. - -6. On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, select **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**. - -7. Select **Next**. - -8. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console. - -9. Select **Next**. - -10. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, select **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then select **Next**. - -11. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, select **Next**. - -12. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. - - - Optimize how the package will run across a slow or unreliable network. - - Specify the operating systems that can run this package. - - When you're finished, select **Next**. - -13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all applications to run. After all applications have run, close each application. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Select **Next**. - - > [!NOTE] - > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, select **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. - -14. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Select **Next**. - -15. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor** check box. This option opens the package in the sequencer console so that you can modify the package before it is saved. Select **Next**. - - To save the package immediately, select **Save the package now**. Optionally, add a **Description** for the package. Descriptions are useful for identifying the version and other important information about the package. - - >[!IMPORTANT] - >The system does not support non-printable characters in Comments and Descriptions. - - The default **Save Location** is also displayed on this page. To change the default location, select **Browse** and specify the new location. Select **Create**. - -### Sequence a middleware application - -1. On the computer that runs the sequencer, select **All Programs**, then select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. - -2. In the sequencer, select **Create a New Virtual Application Package**, select **Create Package (default)**, and then select **Next**. - -3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, select **Refresh** to display the updated information. After you have resolved all potential issues, select **Next**. - - >[!IMPORTANT] - >If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package. - -4. On the **Type of Application** page, select **Middleware**, and then select **Next**. - -5. On the **Select Installer** page, select **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, then select **Next**. - -6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console. - -7. Select **Next**. - -8. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, select **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then select **Next**. - -9. On the **Installation** page, wait while the sequencer configures the virtual application package. - -10. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, select **Next**. - -11. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Once you're done, select **Next**. - -12. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Select **Next**. - - To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package. - - >[!IMPORTANT] - >The system does not support non-printable characters in comments and descriptions. - - The default **Save Location** is also displayed on this page. To change the default location, select **Browse** and specify the new location. Select **Create**. - -13. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then select **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure. - - The package is now available in the sequencer. To edit the package properties, select **Edit \[Package Name\]**. - - >[!IMPORTANT] - >After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. - - -## Related articles - -- [Install the App-V Sequencer](appv-install-the-sequencer.md) -- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md deleted file mode 100644 index a41e80e750f..00000000000 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: How to sequence a package by using Windows PowerShell (Windows 10/11) -description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to Sequence a Package by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to create a new App-V package using Windows PowerShell. - -> [!NOTE] -> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md). - - -**To create a new virtual application by using Windows PowerShell** - -1. Install the App-V sequencer. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md). - -2. Click **Start** and type **Windows PowerShell**. Right-click **Windows PowerShell**, and select **Run as Administrator**. - -3. Using the Windows PowerShell console, type the following: **import-module appvsequencer**. - -4. To create a package, use the **New-AppvSequencerPackage** cmdlet. The following parameters are required to create a package: - - - **Name** - specifies the name of the package. - - - **PrimaryVirtualApplicationDirectory** - specifies the path to the directory that will be used to install the application. This path must exist. - - - **Installer** - specifies the path to the associated application installer. - - - **Path** - specifies the output directory for the package. - - For example: - - ``` - New-AppvSequencerPackage –Name -PrimaryVirtualApplicationDirectory -Installer -OutputPath - ``` - - -Wait for the sequencer to create the package. Creating a package by using Windows PowerShell can take time. If the package was not created successfully, an error will be returned. - -The following list displays additional optional parameters that can be used with **New-AppvSequencerPackage** cmdlet: - -- AcceleratorFilePath – specifies the path to the accelerator .cab file to generate a package. - -- InstalledFilesPath - specifies the path to where the local installed files of the application are saved. - -- InstallMediaPath - specifies the path of the installation media - -- TemplateFilePath - specifies the path to a template file if you want to customize the sequencing process. - -- FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. - -Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. - -> [!IMPORTANT] -> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. - -## Related articles - -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md deleted file mode 100644 index f96111505d6..00000000000 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: App-V Supported Configurations (Windows 10/11) -description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. -author: aczechowski -ms.service: windows-client -ms.date: 04/16/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.topic: article -ms.subservice: itpro-apps ---- - -# App-V Supported Configurations - -**Applies to**: - -- Windows 10 -- Windows 11 -- Windows Server 2019 -- Windows Server 2016 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 (Extended Security Update) - -This article specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). - -## App-V Server system requirements - -This section lists the operating system and hardware requirements for all App-V server components. - -### Unsupported App-V server scenarios - -The App-V server does not support the following scenarios: - -* Deployment to a computer that runs the Server Core installation option. -* Deployment to a computer that runs a previous version of the App-V server components. You can only install App-V side-by-side with the App-V 4.5 Lightweight Streaming Server (LWS) server. This scenario doesn't support side-by-side deployment of App-V and the Application Virtualization Management Service (HWS) 4.x. -* Deployment to a computer running Microsoft SQL Server Express edition. -* Deployment to a domain controller. -* Short paths. If you plan to use a short path, you must create a new volume. - -### Management server operating system requirements - -You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 (Extended Security Update) or later. - ->[!IMPORTANT] ->Deploying a Management server role to a computer with Remote Desktop Services enabled is not supported. - -### Management server hardware requirements - -* A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 1-GB RAM (64-bit). -* 200 MB of available hard disk space, not including the content directory. - -### Management server database requirements - -The following table lists the SQL Server versions that the App-V Management database installation supports. - -|SQL Server version|Service pack|System architecture| -|---|---|---| -|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| -|Microsoft SQL Server 2017||32-bit or 64-bit| -|Microsoft SQL Server 2016|SP2|32-bit or 64-bit| -|Microsoft SQL Server 2014||32-bit or 64-bit| -|Microsoft SQL Server 2012|SP2|32-bit or 64-bit| -|Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit| - -For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f). - -### Publishing server operating system requirements - -The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later. - -### Publishing server hardware requirements - -App-V adds require nothing beyond the requirements of Windows Server. - -* A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 2-GB RAM (64-bit). -* 200 MB of available hard disk space, not including the content directory. - -### Reporting server operating system requirements - -You can install the App-V Reporting server on a server running Windows Server 2008 R2 with SP1 or later. - -### Reporting server hardware requirements - -App-V adds no other requirements beyond those requirements of Windows Server. - -* A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 2-GB RAM (64-bit). -* 200 MB of available hard disk space, not including the content directory. - -### Reporting server database requirements - -The following table lists the SQL Server versions that are supported for the App-V Reporting database installation. - -|SQL Server version|Service pack|System architecture| -|---|---|---| -|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| -|Microsoft SQL Server 2017||32-bit or 64-bit| -|Microsoft SQL Server 2016|SP2|32-bit or 64-bit| -|Microsoft SQL Server 2014||32-bit or 64-bit| -|Microsoft SQL Server 2012|SP2|32-bit or 64-bit| -|Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit| - -## App-V client and Remote Desktop Services client requirements - -Starting with Windows 10 version 1607, the App-V client is included with Windows Enterprise and Windows Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). - -Similarly, the App-V Remote Desktop Services (RDS) client is included with Windows Server 2016 Standard and Windows Server 2016 Datacenter. - -## Sequencer system requirements - -Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK). [Download the latest Windows ADK](/windows-hardware/get-started/adk-install) that is recommended for your version of the Windows OS. - -### Sequencer hardware requirements - -See the Windows or Windows Server documentation for the hardware requirements. - -## Supported versions of Microsoft Configuration Manager - -The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606. - -## Related articles - -* [Planning to deploy App-V](appv-planning-to-deploy-appv.md) -* [App-V prerequisites](appv-prerequisites.md) diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md deleted file mode 100644 index 50ffd5963b6..00000000000 --- a/windows/application-management/app-v/appv-technical-reference.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Technical Reference for App-V (Windows 10/11) -description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Technical Reference for App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This section provides reference information related to managing App-V. - -## In This Section - - -- [Performance Guidance for Application Virtualization](appv-performance-guidance.md) - - Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these practices are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience. - -- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) - -Describes how the following App-V client operations affect the local operating system: - -- App-V files and data storage locations -- Package registry -- Package store behavior -- Roaming registry and data -- Client application lifecycle management -- Integration of App-V packages -- Dynamic configuration -- Side-by-side assemblies -- Client logging - -- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) - - Tells how to view publishing metadata, which can help you resolve publishing-related issues. - -- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) - - Describes reasons and methods for running a locally installed application in a virtual environment, alongside applications that have been virtualized by using Application Virtualization (App-V). - - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md) - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) - -[Windows PowerShell reference for App-V](/previous-versions/) diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md deleted file mode 100644 index d2fbaa8450f..00000000000 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) -description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to transfer the access and default package configurations to another version of a package by using the management console. - -**To transfer access and configurations to another version of a package** - -1. To view the package that you want to configure, open the App-V Management Console. Select the package to which you'll transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer. - -2. To transfer the configuration, in the **Select Previous Version** dialog box, select the package that contains the settings that you want to transfer, and then click **OK**. - - If you select **transfer default configuration from**, then only the underlying dynamic deployment configuration will be transferred. - - If you select **transfer access and configurations from**, then all access permissions, and the configuration settings, will be copied. - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md deleted file mode 100644 index 0cde4c84966..00000000000 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Troubleshooting App-V (Windows 10/11) -description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Troubleshooting App-V - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -For information that can help with troubleshooting App-V for Windows client, see: - -- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) - -- [Microsoft App-V Team Blog](/archive/blogs/appv/) - -- [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md) - -- [Technical Reference for App-V](appv-technical-reference.md) - -- [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv) - - -## Other resources - -- [Application Virtualization (App-V) for Windows client overview](appv-for-windows.md) - -- [Getting Started with App-V for Windows client](appv-getting-started.md) - -- [Planning for App-V](appv-planning-for-appv.md) - -- [Deploying App-V](appv-deploying-appv.md) - -- [Operations for App-V](appv-operations.md) - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md deleted file mode 100644 index 872fdc6b2a9..00000000000 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) -description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Upgrading to App-V for Windows client from an existing installation - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. - -1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. - -2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). - -3. [Enable the in-box App-V client](#enable-the-in-box-app-v-client). - -4. [Configure the in-box App-V client to point to previously installed App-V server components](#configure-the-in-box-app-v-client-to-point-to-previously-installed-app-v-server-components). - -5. [Verify that the in-box App-V client can receive and launch .appv packages](#verify-that-the-in-box-app-v-client-can-receive-and-launch-appv-packages). - -These steps are explained in more detail below. - -## Upgrade user devices to Windows 10/11 - -Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices. - -## Verify that App-V applications and settings were migrated correctly - -After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. - -To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell. - -To verify that the user’s App-V settings were migrated correctly, type `Get-AppvClientConfiguration` in Windows PowerShell. - -## Enable the in-box App-V client - -With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. - -**To enable the App-V client with Group Policy** - -1. Open the device’s **Group Policy Editor**. - -2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**. - -3. Run **Enables App-V Client** and then select **Enabled** on the screen that appears. - -4. Restart the device. - -**To enable the App-V client with Windows PowerShell** - -1. Open Windows PowerShell. - -2. Type `Enable-Appv` and press enter. - -3. Restart the device. - -4. To verify that the App-V client is enabled on the device, enter `AppvClientEnabled` or `Get-AppvStatus` in Windows PowerShell. - -## Configure the in-box App-V client to point to previously installed App-V server components - -Once you’ve enabled the in-box App-V client, you need to configure it to point to your existing App-V server components. You can configure the App-V client with Windows PowerShell cmdlets or with the device’s local Group Policy editor. - -**To modify client settings to point to an existing App-V publishing server with Windows PowerShell** - -Type the following cmdlet in a Windows PowerShell window: - -`Add-AppvPublishingServer -Name AppVServer -URL https:// appvserver:2222` - -**To modify client settings to point to an existing App-V publishing server with Group Policy** - -1. Open the device’s **Local Group Policy Editor**. - -2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**. - -3. Enter your existing App-V publishing server’s details in **Options** and then click or press **Apply**. - -## Verify that the in-box App-V client can receive and launch .appv packages - -1. Add and publish a package using the following Windows PowerShell cmdlets: - - `Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage` - -2. Launch the published package. - -3. Unpublish an existing package use the following cmdlet: - - `Unpublish-AppvClientPackage "ContosoApplication"` - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md deleted file mode 100644 index 5d99029e542..00000000000 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Using the App-V Client Management Console (Windows 10/11) -description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Using the App-V Client Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -This article provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. - -## Options for managing the App-V client - -The App-V client has associated settings that can be configured to determine how the client will run in your environment. You can manage these settings on the computer that runs the client, or you can use Windows PowerShell or Group Policy. For more information about configuring the client by using Windows PowerShell or Group Policy, see: - -- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md) - -- [How to Modify Client Configuration by Using Windows PowerShell](appv-modify-client-configuration-with-powershell.md) - -- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) - -## The App-V client management console - -You can obtain information about the App-V client or perform specific tasks by using the App-V client management console. Many of the tasks that you can perform in the client management console you can also perform by using Windows PowerShell. The associated Windows PowerShell cmdlets for each action are also displayed in the following table. For more information about how to use Windows PowerShell, see [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md). - -The client management console contains the following described main tabs. - -- **Overview**: The **Overview** tab contains the following elements: - - - **Update**: Refreshes a virtualized application or to receive a new virtualized package. - - **Last Refresh**: Displays the current version of the virtualized package. - - **Download all virtual applications**: Use the Download tile to download all of the packages provisioned to the current user. - - Associated Windows PowerShell cmdlet: `Mount-AppvClientPackage` - - - **Work Offline**: Disallows all automatic and manual virtual application updates. - - Associated Windows PowerShell cmdlet: `-AppvPublishServer –UserRefreshEnabled –GlobalRefreshEnabled` - -- **VIRTUAL APPS**: Displays all of the packages that have been published to the user. - - You can also click a specific package and see all of the applications that are part of that package. This option displays information about packages that are currently in use and how much of each package has been downloaded to the computer. You can also start and stop package downloads, and repair the user state. A repair will delete all user data that is associated with a package. - -- **APP CONNECTION GROUPS**: Displays all of the connection groups that are available to the current user. Click a specific connection group to see all of the packages that are part of the selected group. This displays information about connection groups that are already in use and how much of the connection group contents have been downloaded to the computer. Additionally, you can start and stop connection group downloads. You can use this section to initiate a repair. A repair will remove all of the user state that is associated a connection group. - - Associated Windows PowerShell cmdlets: - - - Download: `Mount-AppvClientConnectionGroup` - - Repair: `AppvClientConnectionGroup` - -For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md deleted file mode 100644 index 97d6680ac15..00000000000 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) -description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -Use the following procedure to view and configure default package extensions. - -**To view and configure default virtual application extensions** - -1. To view the package that you want to configure, open the App-V Management Console. Select the package that you want to configure, right-click the package name and select **edit default configuration**. - -2. To view the applications contained in the specified package, in the **Default Configuration** pane, click **Applications**. To view the shortcuts for that package, click **Shortcuts**. To view the file type associations for that package, click **File Types**. - -3. To enable the application extensions, select **ENABLE**. - - To enable shortcuts, select **ENABLE SHORTCUTS**. To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane and select **Remove Shortcut**. To edit an existing shortcut, right-click the application and select **Edit Shortcut**. - -4. To view any other application extensions, click **Advanced** and click **Export Configuration**. Type in a filename and click **Save**. You can view all application extensions associated with the package using the configuration file. - -5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process. - - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md deleted file mode 100644 index f652726838e..00000000000 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Viewing App-V Server Publishing Metadata (Windows 10/11) -description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. -author: aczechowski -ms.service: windows-client -ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.collection: must-keep -ms.subservice: itpro-apps -ms.topic: article ---- - -# Viewing App-V Server Publishing Metadata - -**Applies to** -- Windows Server 2016 - -Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. You must be using the App-V Management server to use this procedure. - -This article contains the following information: - -- [Definition of publishing metadata](#bkmk-whatis-pub-metadata) - -- [Syntax to use for viewing publishing metadata](#bkmk-syntax-view-pub-meta) - -- [Query values for client operating system](#bkmk-values-query-pub-meta) - -## Definition of publishing metadata - -When packages are published to a computer that is running the App-V client, metadata is sent to that computer indicating which packages and connection groups are being published. The App-V Client makes two separate requests for the following: - -- Packages and connection groups that are entitled to the client computer. - -- Packages and connection groups that are entitled to the current user. - -The Publishing server communicates with the Management server to determine which packages and connection groups are available to the requester. The Publishing server must be registered with the Management server in order for the metadata to be generated. - -You can view the metadata for each request in an Internet browser by using a query that is in the context of the specific user or computer. - -## Query syntax for viewing publishing metadata - -This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows client. - -**Query syntax** - -`http://:/?ClientVersion=&ClientOS=` - -For information about the variables in this syntax, see the table that follows. - -**Query example** - -`http://pubsvr01:2718/?ClientVersion=10.0.14393&ClientOS=WindowsClient_10.0_x64` - -In this example: - -- A computer running Windows Server 2016 named “pubsvr01” hosts the Publishing service. - -- The Windows client is 64-bit. - -**Query parameter descriptions** - -The following table describes the parameters shown in the preceding **Query syntax**. - -| Parameter | Description | -|------------|---------------| -| `` | Name of the App-V Publishing server. | -| `` | Port to the App-V Publishing server, which you defined when you configured the Publishing server. | -| `ClientVersion=` | Windows client build number. You can obtain this number by running the following Windows PowerShell command:
    `(Get-CimInstance Win32_OperatingSystem).version` | -| `ClientOS=` | Operating system of the computer that is running the App-V client. Refer to the table that follows for the correct value.
    You can omit this parameter, with the result that only the packages that were sequenced to support all operating systems will appear in the metadata. | - -To get the name of the Publishing server and the port number (`http://:`) from the App-V client, look at the URL configuration of the Get-AppvPublishingServer Windows PowerShell cmdlet. - -## Query values for client operating system - -In your publishing metadata query, enter the string values that correspond to the client operating system that you’re using. - -|Operating system|Architecture|String value| -|--- |--- |--- | -|Windows 10/11|64-bit|WindowsClient_10.0_x64| -|Windows 10/11|32-bit|WindowsClient_10.0_x86| -|Windows 8.1|64-bit|WindowsClient_6.2_x64| -|Windows 8.1|32-bit|WindowsClient_6.2_x86| -|Windows 8|64-bit|WindowsClient_6.2_x64| -|Windows 8|32-bit|WindowsClient_6.2_x86| -|Windows Server 2012 R2|64-bit|WindowsServer_6.2_x64| -|Windows Server 2012 R2|32-bit|WindowsServer_6.2_x86| -|Windows Server 2012|64-bit|WindowsServer_6.2_x64| -|Windows Server 2012|32-bit|WindowsServer_6.2_x86| -|Windows Server 2008 R2|64-bit|WindowsServer_6.1_x64| -|Windows Server 2008 R2|32-bit|WindowsServer_6.1_x86| - - -
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related articles - -[Technical Reference for App-V](appv-technical-reference.md) diff --git a/windows/application-management/app-v/images/app-v-in-adk.png b/windows/application-management/app-v/images/app-v-in-adk.png deleted file mode 100644 index a36ef9f00f8..00000000000 Binary files a/windows/application-management/app-v/images/app-v-in-adk.png and /dev/null differ diff --git a/windows/application-management/app-v/images/checklistbox.gif b/windows/application-management/app-v/images/checklistbox.gif deleted file mode 100644 index cbcf4a4f11e..00000000000 Binary files a/windows/application-management/app-v/images/checklistbox.gif and /dev/null differ diff --git a/windows/application-management/app-v/images/packageaddfileandregistrydata-global.png b/windows/application-management/app-v/images/packageaddfileandregistrydata-global.png deleted file mode 100644 index 775e290a361..00000000000 Binary files a/windows/application-management/app-v/images/packageaddfileandregistrydata-global.png and /dev/null differ diff --git a/windows/application-management/app-v/images/packageaddfileandregistrydata-stream.png b/windows/application-management/app-v/images/packageaddfileandregistrydata-stream.png deleted file mode 100644 index 0e1205c62b2..00000000000 Binary files a/windows/application-management/app-v/images/packageaddfileandregistrydata-stream.png and /dev/null differ diff --git a/windows/application-management/app-v/images/packageaddfileandregistrydata.png b/windows/application-management/app-v/images/packageaddfileandregistrydata.png deleted file mode 100644 index 603420e6278..00000000000 Binary files a/windows/application-management/app-v/images/packageaddfileandregistrydata.png and /dev/null differ diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 7b7f7eed470..ddb34848ae9 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -39,6 +39,7 @@ "ms.collection": [ "tier2" ], + "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "uhfHeaderId": "MSDocsHeader-Windows", "ms.service": "windows-client", "ms.subservice": "itpro-apps", @@ -50,12 +51,11 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Application Management", "contributors_to_exclude": [ "dstrome2", - "rjagiewich", + "rjagiewich", "American-Dipper", - "claydetels19", + "claydetels19", "jborsecnik", "v-stchambers", "shdyas", @@ -68,11 +68,6 @@ "Windows 10" ] }, - "fileMetadata": { - "feedback_system": { - "app-v/**/*.*": "None" - } - }, "template": [], "dest": "win-app-management", "markdownEngineName": "markdig" diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 2a00963aef5..73dbb919ae3 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 10/03/2017 -ms.topic: article +ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 371bc58a376..ae406114d74 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -9,7 +9,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: aaroncz - ms.date: 08/18/2023 + ms.date: 06/28/2024 ms.topic: landing-page ms.service: windows-client ms.subservice: itpro-apps @@ -40,22 +40,3 @@ landingContent: url: per-user-services-in-windows.md - text: Changes to Service Host grouping in Windows 10 url: svchost-service-refactoring.md - - - title: Application Virtualization (App-V) - linkLists: - - linkListType: overview - links: - - text: App-V overview - url: app-v/appv-for-windows.md - - text: Getting started with App-V - url: app-v/appv-getting-started.md - - text: Planning for App-V - url: app-v/appv-planning-for-appv.md - - text: Deploying App-V - url: app-v/appv-deploying-appv.md - - text: Operations for App-V - url: app-v/appv-operations.md - - text: Troubleshooting App-V - url: app-v/appv-troubleshooting.md - - text: Technical Reference for App-V - url: app-v/appv-technical-reference.md diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md index ab58f88f99c..7188ebe6e00 100644 --- a/windows/application-management/overview-windows-apps.md +++ b/windows/application-management/overview-windows-apps.md @@ -4,7 +4,7 @@ description: Learn about the different types of apps that run on Windows. For ex author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/28/2023 +ms.date: 06/28/2024 ms.topic: overview ms.service: windows-client ms.subservice: itpro-apps @@ -31,7 +31,7 @@ For more information on deploying Microsoft 365 apps, see the [Deployment guide ### Power Apps -These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. +These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/power-apps/powerapps-overview). @@ -182,7 +182,7 @@ App-V allows Win32 apps to be used as virtual apps. On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally. -The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md). +The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](/microsoft-desktop-optimization-pack/app-v/appv-for-windows). ## Manage apps diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 90281afcd3a..d6b6444c8db 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 04/04/2023 -ms.topic: article +ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 63f66e42cb9..eaea302b9cc 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -1,257 +1,17 @@ items: - name: Manage Windows applications href: index.yml -- name: Application management - items: - - name: Overview of apps in Windows - href: overview-windows-apps.md - - name: Add or hide Windows features - href: add-apps-and-features.md - - name: Sideload line of business (LOB) apps - href: sideload-apps-in-windows.md - - name: Private app repo on Windows 11 - href: private-app-repository-mdm-company-portal-windows-11.md - - name: Remove background task resource restrictions - href: enterprise-background-activity-controls.md - - name: Service host grouping in Windows 10 - href: svchost-service-refactoring.md - - name: Per-user services in Windows - href: per-user-services-in-windows.md - - name: Keep removed apps from returning during an update - href: remove-provisioned-apps-during-update.md -- name: Application Virtualization (App-V) - items: - - name: App-V for Windows overview - href: app-v/appv-for-windows.md - - name: Getting Started - items: - - name: Getting Started with App-V - href: app-v/appv-getting-started.md - - name: What's new - items: - - name: What's new in App-V for Windows 10, version 1703 and earlier - href: app-v/appv-about-appv.md - - name: Release Notes for App-V for Windows 10, version 1607 - href: app-v/appv-release-notes-for-appv-for-windows.md - - name: Release Notes for App-V for Windows 10, version 1703 - href: app-v/appv-release-notes-for-appv-for-windows-1703.md - - name: Evaluating App-V - href: app-v/appv-evaluating-appv.md - - name: High Level Architecture for App-V - href: app-v/appv-high-level-architecture.md - - name: Planning - items: - - name: Planning for App-V - href: app-v/appv-planning-for-appv.md - - name: Preparing your environment - items: - - name: Preparing your environment for App-V - href: app-v/appv-preparing-your-environment.md - - name: App-V Prerequisites - href: app-v/appv-prerequisites.md - - name: App-V security considerations - href: app-v/appv-security-considerations.md - - name: Planning to deploy - items: - - name: Planning to Deploy App-V - href: app-v/appv-planning-to-deploy-appv.md - - name: App-V Supported Configurations - href: app-v/appv-supported-configurations.md - - name: App-V Capacity Planning - href: app-v/appv-capacity-planning.md - - name: Planning for High Availability with App-V - href: app-v/appv-planning-for-high-availability-with-appv.md - - name: Planning to Deploy App-V with an Electronic Software Distribution System - href: app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md - - name: Planning for the App-V Server Deployment - href: app-v/appv-planning-for-appv-server-deployment.md - - name: Planning for the App-V Sequencer and Client Deployment - href: app-v/appv-planning-for-sequencer-and-client-deployment.md - - name: Planning for Using App-V with Office - href: app-v/appv-planning-for-using-appv-with-office.md - - name: Planning to Use Folder Redirection with App-V - href: app-v/appv-planning-folder-redirection-with-appv.md - - name: App-V Planning Checklist - href: app-v/appv-planning-checklist.md - - name: Deploying - items: - - name: Deploying App-V - href: app-v/appv-deploying-appv.md - - name: App-V sequencer and client configuration - items: - - name: Deploying the App-V Sequencer and Configuring the Client - href: app-v/appv-deploying-the-appv-sequencer-and-client.md - - name: About Client Configuration Settings - href: app-v/appv-client-configuration-settings.md - - name: Enable the App-V desktop client - href: app-v/appv-enable-the-app-v-desktop-client.md - - name: How to Install the Sequencer - href: app-v/appv-install-the-sequencer.md - - name: App-V server deployment - items: - - name: Deploying the App-V Server - href: app-v/appv-deploying-the-appv-server.md - - name: How to Deploy the App-V Server - href: app-v/appv-deploy-the-appv-server.md - - name: How to Deploy the App-V Server Using a Script - href: app-v/appv-deploy-the-appv-server-with-a-script.md - - name: How to Deploy the App-V Databases by Using SQL Scripts - href: app-v/appv-deploy-appv-databases-with-sql-scripts.md - - name: How to Install the Publishing Server on a Remote Computer - href: app-v/appv-install-the-publishing-server-on-a-remote-computer.md - - name: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services - href: app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md - - name: How to install the Management Server on a Standalone Computer and Connect it to the Database - href: app-v/appv-install-the-management-server-on-a-standalone-computer.md - - name: About App-V Reporting - href: app-v/appv-reporting.md - - name: How to install the Reporting Server on a Standalone Computer and Connect it to the Database - href: app-v/appv-install-the-reporting-server-on-a-standalone-computer.md - - name: App-V Deployment Checklist - href: app-v/appv-deployment-checklist.md - - name: Deploying Microsoft Office 2016 by Using App-V - href: app-v/appv-deploying-microsoft-office-2016-with-appv.md - - name: Deploying Microsoft Office 2013 by Using App-V - href: app-v/appv-deploying-microsoft-office-2013-with-appv.md - - name: Deploying Microsoft Office 2010 by Using App-V - href: app-v/appv-deploying-microsoft-office-2010-wth-appv.md - - name: Operations - items: - - name: Operations for App-V - href: app-v/appv-operations.md - - name: Creating and managing virtualized applications - items: - - name: Creating and Managing App-V Virtualized Applications - href: app-v/appv-creating-and-managing-virtualized-applications.md - - name: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) - href: app-v/appv-auto-provision-a-vm.md - - name: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) - href: app-v/appv-auto-batch-sequencing.md - - name: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) - href: app-v/appv-auto-batch-updating.md - - name: Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer) - href: app-v/appv-sequence-a-new-application.md - - name: How to Modify an Existing Virtual Application Package - href: app-v/appv-modify-an-existing-virtual-application-package.md - - name: How to Create and Use a Project Template - href: app-v/appv-create-and-use-a-project-template.md - - name: How to Create a Package Accelerator - href: app-v/appv-create-a-package-accelerator.md - - name: How to Create a Virtual Application Package Using an App-V Package Accelerator - href: app-v/appv-create-a-virtual-application-package-package-accelerator.md - - name: Administering App-V - items: - - name: Administering App-V Virtual Applications by Using the Management Console - href: app-v/appv-administering-virtual-applications-with-the-management-console.md - - name: About App-V Dynamic Configuration - href: app-v/appv-dynamic-configuration.md - - name: How to Connect to the Management Console - href: app-v/appv-connect-to-the-management-console.md - - name: How to Add or Upgrade Packages by Using the Management Console - href: app-v/appv-add-or-upgrade-packages-with-the-management-console.md - - name: How to Configure Access to Packages by Using the Management Console - href: app-v/appv-configure-access-to-packages-with-the-management-console.md - - name: How to Publish a Package by Using the Management Console - href: app-v/appv-publish-a-packages-with-the-management-console.md - - name: How to Delete a Package in the Management Console - href: app-v/appv-delete-a-package-with-the-management-console.md - - name: How to Add or Remove an Administrator by Using the Management Console - href: app-v/appv-add-or-remove-an-administrator-with-the-management-console.md - - name: How to Register and Unregister a Publishing Server by Using the Management Console - href: app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md - - name: How to Create a Custom Configuration File by Using the App-V Management Console - href: app-v/appv-create-a-custom-configuration-file-with-the-management-console.md - - name: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console - href: app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md - - name: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console - href: app-v/appv-customize-virtual-application-extensions-with-the-management-console.md - - name: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console - href: app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md - - name: Connection groups - items: - - name: Managing Connection Groups - href: app-v/appv-managing-connection-groups.md - - name: About the Connection Group Virtual Environment - href: app-v/appv-connection-group-virtual-environment.md - - name: About the Connection Group File - href: app-v/appv-connection-group-file.md - - name: How to Create a Connection Group - href: app-v/appv-create-a-connection-group.md - - name: How to Create a Connection Group with User-Published and Globally Published Packages - href: app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md - - name: How to Delete a Connection Group - href: app-v/appv-delete-a-connection-group.md - - name: How to Publish a Connection Group - href: app-v/appv-publish-a-connection-group.md - - name: How to Make a Connection Group Ignore the Package Version - href: app-v/appv-configure-connection-groups-to-ignore-the-package-version.md - - name: How to Allow Only Administrators to Enable Connection Groups - href: app-v/appv-allow-administrators-to-enable-connection-groups.md - - name: Deploying App-V packages with ESD - items: - - name: Deploying App-V Packages by Using Electronic Software Distribution (ESD) - href: app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md - - name: How to deploy App-V Packages Using Electronic Software Distribution - href: app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md - - name: How to Enable Only Administrators to Publish Packages by Using an ESD - href: app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md - - name: Using the management console - items: - - name: Using the App-V client management console - href: app-v/appv-using-the-client-management-console.md - - name: Automatically clean up unpublished packages on the App-V client - href: app-v/appv-auto-clean-unpublished-packages.md - - name: Migrating - items: - - name: Migrating to App-V from a previous version - href: app-v/appv-migrating-to-appv-from-a-previous-version.md - - name: How to convert a package created in a previous version of App-V - href: app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md - - name: Maintenance - items: - - name: Maintaining App-V - href: app-v/appv-maintaining-appv.md - - name: How to Move the App-V Server to Another Computer - href: app-v/appv-move-the-appv-server-to-another-computer.md - - name: Administering App-V with Windows PowerShell - items: - - name: Administering App-V by using Windows PowerShell - href: app-v/appv-administering-appv-with-powershell.md - - name: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help - href: app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md - - name: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell - href: app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md - - name: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell - href: app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md - - name: How to Modify Client Configuration by Using Windows PowerShell - href: app-v/appv-modify-client-configuration-with-powershell.md - - name: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server - href: app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md - - name: How to Apply the User Configuration File by Using Windows PowerShell - href: app-v/appv-apply-the-user-configuration-file-with-powershell.md - - name: How to Apply the Deployment Configuration File by Using Windows PowerShell - href: app-v/appv-apply-the-deployment-configuration-file-with-powershell.md - - name: How to Sequence a Package by Using Windows PowerShell - href: app-v/appv-sequence-a-package-with-powershell.md - - name: How to Create a Package Accelerator by Using Windows PowerShell - href: app-v/appv-create-a-package-accelerator-with-powershell.md - - name: How to Enable Reporting on the App-V Client by Using Windows PowerShell - href: app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md - - name: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell - href: app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md - - name: Troubleshooting App-V - href: app-v/appv-troubleshooting.md - - name: Technical Reference - items: - - name: Technical Reference for App-V - href: app-v/appv-technical-reference.md - - name: Available Mobile Device Management (MDM) settings for App-V - href: app-v/appv-available-mdm-settings.md - - name: Performance Guidance for Application Virtualization - href: app-v/appv-performance-guidance.md - - name: Application Publishing and Client Interaction - href: app-v/appv-application-publishing-and-client-interaction.md - - name: Viewing App-V Server Publishing Metadata - href: app-v/appv-viewing-appv-server-publishing-metadata.md - - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications - href: app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +- name: Overview of apps in Windows + href: overview-windows-apps.md +- name: Sideload line of business (LOB) apps + href: sideload-apps-in-windows.md +- name: Private app repo on Windows 11 + href: private-app-repository-mdm-company-portal-windows-11.md +- name: Remove background task resource restrictions + href: enterprise-background-activity-controls.md +- name: Service host grouping in Windows 10 + href: svchost-service-refactoring.md +- name: Per-user services in Windows + href: per-user-services-in-windows.md +- name: Keep removed apps from returning during an update + href: remove-provisioned-apps-during-update.md diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 27c5fb235c5..eefc2151aba 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -5,18 +5,18 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Microsoft Entra integration with MDM -Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow. +Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into Mobile Device Management (MDM) in an integrated flow. Once a device is enrolled in MDM, the MDM: - Can enforce compliance with organization policies, add or remove apps, and more. - Can report a device's compliance in Microsoft Entra ID. -- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies. +- Can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID. @@ -24,23 +24,21 @@ To support these rich experiences with their MDM product, MDM vendors can integr There are several ways to connect your devices to Microsoft Entra ID: -- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join) -- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid) -- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register) +- [Join device to Microsoft Entra ID](/entra/identity/devices/concept-directory-join) +- [Join device to on-premises AD and Microsoft Entra ID](/entra/identity/devices/concept-hybrid-join) +- [Add a Microsoft work account to Windows](/entra/identity/devices/concept-device-registration) In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. -For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). +For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Microsoft Entra multifactor authentication as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar. > [!NOTE] > Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account. - - ### MDM endpoints involved in Microsoft Entra integrated enrollment Microsoft Entra MDM enrollment is a two-step process: @@ -64,17 +62,15 @@ To support Microsoft Entra enrollment, MDM vendors must host and expose a **Term The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. - - ## Make MDM a reliable party of Microsoft Entra ID To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). ### Cloud-based MDM -A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. +A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multitenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. +The MDM vendor must first register the application in their home tenant and mark it as a multitenant application. For more information about how to add multitenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multitenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] > For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides: @@ -82,7 +78,7 @@ The MDM vendor must first register the application in their home tenant and mark > - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. > - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs. +The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multitenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs. > [!NOTE] > All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). @@ -107,8 +103,6 @@ For cloud-based MDM, you can roll over the application keys without requiring a For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys. - - ## Publish your MDM app to Microsoft Entra app gallery IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID. @@ -124,7 +118,7 @@ The following table shows the required information to create an entry in the Mic | Item | Description | |---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app. | +| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multitenant app. | | **Publisher** | A string that identifies the publisher of the app. | | **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. | | **Description** | A brief description of your MDM app, which must be under 255 characters. | @@ -191,7 +185,7 @@ The following claims are expected in the access token passed by Windows to the T |-----------|----------------------------------------------------------------------------------------------| | Object ID | Identifier of the user object corresponding to the authenticated user. | | UPN | A claim containing the user principal name (UPN) of the authenticated user. | -| TID | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. | +| TID | A claim representing the tenant ID of the tenant. In the previous example, it's Fabrikam. | | Resource | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | > [!NOTE] @@ -206,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm Authorization: Bearer eyJ0eXAiOi ``` -The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate. +The MDM is expected to validate the signature of the access token to ensure it's issued by Microsoft Entra ID and that the recipient is appropriate. ### Terms of Use content @@ -260,8 +254,6 @@ The following table shows the error codes. | Microsoft Entra token validation failed | 302 | unauthorized_client | unauthorized_client | | internal service error | 302 | server_error | internal service error | - - ## Enrollment protocol with Microsoft Entra ID With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. @@ -284,8 +276,6 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported| |CSPs accessible during enrollment|Windows 10 support:
    - DMClient
    - CertificateStore
    - RootCATrustedCertificates
    - ClientCertificateInstall
    - EnterpriseModernAppManagement
    - PassportForWork
    - Policy
    - w7 APPLICATION||| - - ## Management protocol with Microsoft Entra ID There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. @@ -318,8 +308,6 @@ There are two different MDM enrollment types that integrate with Microsoft Entra - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). - Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). - - ## Device Alert 1224 for Microsoft Entra user token An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example: @@ -372,15 +360,13 @@ Here's an example. ``` - - ## Report device compliance to Microsoft Entra ID Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID. For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). -- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID. +- **Cloud-based MDM** - If your product is a cloud-based multitenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID. - **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID. ### Use Microsoft Graph API @@ -415,8 +401,6 @@ Response: - Success - HTTP 204 with No Content. - Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. - - ## Data loss during unenrollment from Microsoft Entra join When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ab7c3e0a1c8..aca40777f6d 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -2,7 +2,7 @@ title: Automatic MDM enrollment in the Intune admin center description: Automatic MDM enrollment in the Intune admin center ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Automatic MDM enrollment in the Intune admin center diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index d9938c6409f..c248120cff2 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,13 +1,13 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. +description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario. +Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario. ## Typical use cases @@ -68,7 +68,7 @@ Using the WCD, create a provisioning package using the enrollment information re ![bulk enrollment screenshot.](images/bulk-enrollment.png) 1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. After adding all the settings, select **Save** on the **File** menu. 1. On the main menu, select **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) @@ -120,7 +120,7 @@ Using the WCD, create a provisioning package using the enrollment information re For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). 1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. After adding all the settings, select **Save** on the **File** menu. 1. Export and build the package (steps 10-13 in previous section). 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 1. Apply the package to your devices. @@ -142,7 +142,7 @@ Using the WCD, create a provisioning package using the enrollment information re - If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row. - If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context. - It also retries the provisioning each time it's launched, if started from somewhere else as well. -- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). +- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system is idle](/windows/win32/taskschd/task-idle-conditions). ## Related articles diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index e53a80cc551..2cea712e444 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -2,7 +2,7 @@ title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Certificate authentication device enrollment diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 573cbe71b28..66d42a4d90e 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -2,7 +2,7 @@ title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Certificate Renewal @@ -19,7 +19,7 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of > [!NOTE] > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. -Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. +Auto certificate renewal is the only supported MDM client certificate renewal method for a device enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL. @@ -89,7 +89,7 @@ In Windows, the renewal period can only be set during the MDM enrollment phase. For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md). -Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week. +Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device tries to connect at different days of the week. ## Certificate renewal response @@ -99,7 +99,7 @@ When RequestType is set to Renew, the web service verifies the following (in add - The client's certificate is in the renewal period - The certificate is issued by the enrollment service - The requester is the same as the requester for initial enrollment -- For standard client's request, the client hasn't been blocked +- For standard client's request, the client isn't blocked After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. diff --git a/windows/client-management/client-tools/add-remove-hide-features.md b/windows/client-management/client-tools/add-remove-hide-features.md new file mode 100644 index 00000000000..92fa8aaf856 --- /dev/null +++ b/windows/client-management/client-tools/add-remove-hide-features.md @@ -0,0 +1,160 @@ +--- +title: Add, remove, or hide Windows features +description: Learn how to add or remove Windows optional features using the Optional features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. +ms.date: 07/01/2024 +ms.topic: how-to +zone_pivot_groups: windows-versions-11-10 +--- + +# Add, remove, or hide Windows features + +Windows has optional features that aren't included by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be added at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features. + +## Use the Windows Settings app to add or remove features + + + +Open the **Optional features** pane in the **Settings** app by selecting the following link: + +> [!div class="nextstepaction"] +> [Optional features](ms-settings:optionalfeatures) + +Or + +1. Right-click on the **Start** menu and select **Run**. + +1. In the **Run** window, next to **Open:**, enter: + + ```console + ms-settings:optionalfeatures + ``` + + and then select **OK**. + +Or + +::: zone pivot="windows-11" + +1. Right-click on the **Start** menu and select **Settings**. + +1. In the left hand pane of the Settings app, select **System**. + +1. In the right hand **System** pane, select **Optional features**. + +> [!NOTE] +> +> The navigation steps, UI elements, and UI text in this section are based on the latest version of Windows 11 with the latest cumulative update installed. For other versions of Windows 11 that are currently supported or don't have the latest cumulative update, some of the navigation steps, UI elements, and UI text might be different. For example, the [**Optional features**](ms-settings:optionalfeatures) pane might be located under **Settings** > **Apps**. + +::: zone-end + +::: zone pivot="windows-10" + +1. Right-click on the **Start** menu and select **Settings**. + +1. In the Settings app, select **System**. + +1. In the left hand pane, select **Optional features**. + +> [!NOTE] +> +> The navigation steps, UI elements, and UI text in this section are based on Windows 10 22H2 with the latest cumulative update installed. For other versions of Windows 10 that are currently supported or don't have the latest cumulative update, some of the navigation steps, UI elements, and UI text might be different. For example, the [**Optional features**](ms-settings:optionalfeatures) pane might be located under **Settings** > **Apps** > **Apps & features**. + +::: zone-end + +### Add a feature + +::: zone pivot="windows-11" + +Once the **System > Optional features** pane is open, add a feature with the following steps: + +1. Select the **View features** button next to **Add an optional feature**. + +1. In the **Add an optional feature** window that opens: + + 1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected. + + 1. Once all of the desired features are selected, select the **Next** button. + + 1. Review the selected list of features and then select the **Add** button to add the selected features. + +::: zone-end + +::: zone pivot="windows-10" + +Once the **Optional features** pane is open, add a feature with the following steps: + +1. Select the **+** button next to **Add a feature**. + +1. In the **Add an optional feature** window that opens: + + 1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected. + + 1. Once all of the desired features are selected, select the **Add** button. + +::: zone-end + +> [!IMPORTANT] +> +> Windows Update is used to add the optional features. The device needs to be online so Windows Update can download the content that it needs to add. + +### Remove a feature + +::: zone pivot="windows-11" + +Once the **System > Optional features** pane is open, remove a feature with the following steps: + +1. Under **Installed features**, search for the feature that needs to be removed in the **Search installed features** search box, or scroll through the list of added features until the feature that needs to be removed is found. + +1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button. + +::: zone-end + +::: zone pivot="windows-10" + +Once the **Optional features** pane is open, remove a feature with the following steps: + +1. Under **Installed features**, search for the feature that needs to be removed in the **Find an installed optional feature** search box, or scroll through the list of added features until the feature that needs to be removed is found. + +1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button. + +::: zone-end + +## Use group policy or MDM policies to hide Windows features + +By default, the OS might show Windows features and allow users to add and remove these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune. + +### Group policy + +If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy might be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device. + +You can't use group policy to disable specific Windows features. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features). + +If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy. + +### MDM + +Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features. + +If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings). + +## Use Windows PowerShell to disable specific features + +To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet. + +> [!NOTE] +> +> There isn't a group policy that disables specific Windows features. + +To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page). + +Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension). + +To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet. + +Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart might be required when the state changes. + +## Related content + +- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). +- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). +- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod). diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 1e319e16a49..785eb740ccf 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -1,18 +1,28 @@ --- -title: Windows Tools/Administrative Tools +title: Windows Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. -ms.localizationpriority: medium -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual +zone_pivot_groups: windows-versions-11-10 ms.collection: -- highpri -- tier2 - essentials-manage --- -# Windows Tools/Administrative Tools +# Windows Tools -**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. +::: zone pivot="windows-11" + +**Windows Tools** is a folder in the Windows 11 Control Panel. This folder contains tools for system administrators and advanced users. + +::: zone-end + +::: zone pivot="windows-10" + +**Administrative Tools** is a folder in the Windows 10 Control Panel. This folder contains tools for system administrators and advanced users. + +::: zone-end + +::: zone pivot="windows-11" ## Windows Tools folder @@ -24,6 +34,10 @@ The tools in the folder might vary depending on which edition of Windows you use :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png"::: +::: zone-end + +::: zone pivot="windows-10" + ## Administrative Tools folder The following graphic shows the **Administrative Tools** folder in Windows 10: @@ -34,34 +48,7 @@ The tools in the folder might vary depending on which edition of Windows you use ![Screenshot of the contents of the Administrative Tools folder in Windows 10.](images/admin-tools-folder.png) -## Tools - -The tools are located in the folder `C:\Windows\System32\` or its subfolders. - -These tools were included in previous versions of Windows. The associated documentation for each tool can help you use them. The following list provides links to documentation for each tool. - -- [Component Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731901(v=ws.11)) -- [Computer Management](https://support.microsoft.com/topic/how-to-use-computer-management-in-windows-xp-d5872f93-4498-f4dd-3a34-36d6f569924f) -- [Defragment and Optimize Drives](https://support.microsoft.com/windows/ways-to-improve-your-computer-s-performance-c6018c78-0edd-a71a-7040-02267d68ea90) -- [Disk Cleanup](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68) -- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10)) -- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10)) -- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10)) -- [ODBC Data Sources](/sql/odbc/admin/odbc-data-source-administrator) -- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11)) -- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11)) -- [Recovery Drive](https://support.microsoft.com/windows/create-a-recovery-drive-abb4691b-5324-6d4a-8766-73fab304c246) -- [Registry Editor](/windows/win32/sysinfo/registry) -- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10)) -- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11)) -- [System Configuration](/troubleshoot/windows-client/performance/system-configuration-utility-troubleshoot-configuration-errors) -- [System Information](/previous-versions/windows/it-pro/windows-2000-server/cc957818(v=technet.10)) -- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11)) -- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11)) -- [Windows Memory Diagnostic](/previous-versions/technet-magazine/cc745953(v=msdn.10)) - -> [!TIP] -> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article. +::: zone-end ## Related articles diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 685f872e8a4..725c23927ae 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -1,12 +1,11 @@ --- title: Windows default media removal policy -description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. -ms.date: 08/10/2023 +description: Manage default media removal policy in Windows. +ms.date: 07/01/2024 ms.topic: conceptual -ms.localizationpriority: medium --- -# Change in default removal policy for external storage media in Windows +# Manage default media removal policy Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**. @@ -16,7 +15,7 @@ You can change the policy setting for each external device, and the policy that You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects: -- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This may degrade system performance. +- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This can degrade system performance. - **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. > [!IMPORTANT] diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index b47fad81eec..c08492c2018 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -2,7 +2,7 @@ title: Connect to remote Microsoft Entra joined device description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual ms.collection: - highpri @@ -14,18 +14,16 @@ ms.collection: Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-azure-ad-authentication). +- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-microsoft-entra-authentication). ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. - Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**. - - It's recommended to select **Require devices to use Network Level Authentication to connect** option. + - Select **Require devices to use Network Level Authentication to connect** option is recommended. - If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device. - - ## Connect with Microsoft Entra authentication Microsoft Entra authentication can be used on the following operating systems for both the local and remote device: @@ -64,8 +62,6 @@ The Windows lock screen in the remote session doesn't support Microsoft Entra au Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies. - - ## Connect without Microsoft Entra authentication By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from: diff --git a/windows/client-management/client-tools/images/change-def-rem-policy-2.png b/windows/client-management/client-tools/images/change-def-rem-policy-2.png index d05d5dd16fd..d99919de151 100644 Binary files a/windows/client-management/client-tools/images/change-def-rem-policy-2.png and b/windows/client-management/client-tools/images/change-def-rem-policy-2.png differ diff --git a/windows/client-management/client-tools/images/settings-page-visibility-gp.png b/windows/client-management/client-tools/images/settings-page-visibility-gp.png index 198fc83a7c5..eabe085176c 100644 Binary files a/windows/client-management/client-tools/images/settings-page-visibility-gp.png and b/windows/client-management/client-tools/images/settings-page-visibility-gp.png differ diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 0aaf41776dd..052dc9e72a8 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -1,7 +1,7 @@ --- title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual --- diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index bf19bb6ad7f..fb091f005b9 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -1,7 +1,7 @@ --- title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual --- diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 78e358f1fd4..5e64dd2f66c 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -1,16 +1,13 @@ --- title: Create mandatory user profiles -description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. -ms.date: 08/10/2023 +description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users. +ms.date: 07/01/2024 ms.topic: conceptual -ms.collection: -- highpri -- tier2 --- # Create mandatory user profiles -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned. +A mandatory user profile is a roaming user profile that has been preconfigured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. @@ -118,12 +115,12 @@ In a domain, you modify properties for the user account to point to the mandator ### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). -1. Navigate to the user account that you'll assign the mandatory profile to. +1. Navigate to the user account that you want to assign the mandatory profile to. 1. Right-click the user name and open **Properties**. 1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. 1. Select **OK**. -It may take some time for this change to replicate to all domain controllers. +It can take some time for this change to replicate to all domain controllers. ## Apply policies to improve sign-in time diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index f902b922049..25a3039918a 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,9 +1,8 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual -ms.localizationpriority: medium ms.collection: - highpri - tier1 @@ -11,11 +10,16 @@ ms.collection: # Use Quick Assist to help users -Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. + +> [!IMPORTANT] +> Learn how to [protect yourself from tech support scams](https://support.microsoft.com/help/4013405). Tech support scams are an industry-wide issue where scammers use scare tactics to trick you into unnecessary technical support services. Only allow a Helper to connect to your device if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. +> +> If you or someone you know has been affected by a tech support scam, use the [technical support scam form](https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753) to report it. ## Before you begin -All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. +All you need to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. ### Authentication @@ -38,7 +42,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. | | `aadcdn.msauth.net` | Required for logging in to the application (Microsoft Entra ID). | | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. | -| `login.microsoftonline.com` | Required for Microsoft login service. | +| `login.microsoftonline.com` | Required for Microsoft sign-in service. | | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. | | `turn.azure.com` | Required for Azure Communication Service. | @@ -89,52 +93,80 @@ Microsoft logs a small amount of session data to monitor the health of the Quick In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. -## Install Quick Assist +## Install Quick Assist on Windows ### Install Quick Assist from the Microsoft Store 1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5). -1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**.
    :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner."::: +1. In the Microsoft Store, select **View in store**, then install Quick Assist. When the installation is complete, **Install** changes to **Open**. For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). ### Install Quick Assist with Intune -Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. -1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). -1. Select **Manage** / **Settings** and enable **Show offline apps**. -1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. -1. Search for **Quick Assist** and select it from the Search results. -1. Choose the **Offline** license and select **Get the app** -1. In the Intune admin center, choose **Sync**. -1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. -1. Select it to view its properties. -1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install. - -> [!NOTE] -> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context. - -Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information. +To deploy Quick Assist with Intune, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft). ### Install Quick Assist Offline To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. -1. Start **Windows PowerShell** with Administrative privileges. -1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd ` -1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"` -1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` +1. Start **Windows PowerShell** with Administrative privileges +1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd ` +1. To install Quick Assist, run the following command: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"` +1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` -## Microsoft Edge WebView2 +### Microsoft Edge WebView2 -The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function. +The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application is developed using this control, making it a necessary component for the app to function. - For Windows 11 users, this runtime control is built in. - For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately. -For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) +For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime.](/microsoft-edge/webview2/concepts/distribution) + +## Install Quick Assist on macOS + +Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device aren't working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device. + +> [!NOTE] +> Quick Assist for macOS is not available outside of Microsoft Support interactions. + +## Disable Quick Assist within your organization + +If your organization utilizes another remote support tool such as [Remote Help](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help), disable or remove Quick Assist as a best practice, if it isn't used within your environment. This prevents guests from using Quick Assist to gain access to devices within your organization. + +### Disable Quick Assist + +To disable Quick Assist, block traffic to the `https://remoteassistance.support.services.microsoft.com` endpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can't be used to get help or help someone. + +### Uninstall Quick Assist + +#### Uninstall via PowerShell + +Run the following PowerShell command as Administrator: + +`Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers` + +#### Uninstall via Windows Settings + +Navigate to **Settings** > **Apps** > **Installed apps** > Quick Assist > select the ellipsis (…), then select **Uninstall**. + +## Report Abuse + +Before joining a session, it's important for you to know who you are connecting to. Anyone that has control over your device can perform actions on your device, and potentially install malicious applications or take other actions that can damage your device. + +Follow these best practices for using Quick Assist or any remote desktop software: + +- Never allow a connection to your device by someone claiming to be "IT Support" unless you initiated the interaction with them. +- Don't provide access to anyone claiming to have an urgent need to access your device. +- Don't share credentials to any websites or applications. + +> [!NOTE] +> Microsoft will never contact you through unsolicited emails, phone calls, or other methods to request access to your device. Microsoft will only request access to your device if you have contacted us and directly requested help with solving an issue you are experiencing. If you need customer service support from Microsoft, please visit [Microsoft Support](https://support.microsoft.com/). + +If you suspect that the person connecting to your device is being malicious, disconnect from the session immediately and report the concern to your local authorities and/or any relevant IT members within your organization. + +If you or someone you know has been affected by a tech support scam, use the [technical support scam form](https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753) to report it. ## Next steps diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml index 115ff9afd8a..9600b605e45 100644 --- a/windows/client-management/client-tools/toc.yml +++ b/windows/client-management/client-tools/toc.yml @@ -1,4 +1,6 @@ items: + - name: Add, remove, or hide Windows features + href: add-remove-hide-features.md - name: Windows Tools/Administrative Tools href: administrative-tools-in-windows.md - name: Use Quick Assist to help users @@ -13,7 +15,7 @@ items: href: manage-settings-app-with-group-policy.md - name: Manage default media removal policy href: change-default-removal-policy-external-storage-media.md - - name: What version of Windows am I running - href: windows-version-search.md - name: Windows libraries href: windows-libraries.md + - name: What version of Windows am I running + href: windows-version-search.md \ No newline at end of file diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 3486649f207..65a263719f2 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -2,13 +2,15 @@ title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/01/2024 --- # Windows libraries Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. +To show libraries in File Explorer, go to **Options**, select the **View** tab, and then select **Show libraries**. + ## Features for Users Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users: diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index 2bb838cf729..2c342661317 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -1,7 +1,7 @@ --- title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. -ms.date: 08/10/2023 +ms.date: 07/01/2024 ms.topic: conceptual --- @@ -17,8 +17,6 @@ To determine if your device is enrolled in the Long-Term Servicing Channel or th Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information. -:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: - ## Using Keyword Search You can type the following in the search bar and press **ENTER** to see version details for your device. diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 30b905a41de..f497c867125 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -2,7 +2,7 @@ title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 appliesto: - ✅ Windows 11 --- @@ -63,7 +63,7 @@ The steps to turn on config lock using Microsoft Intune are as follows: Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune. -:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off."::: +:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of System Guard protects your device from compromised firmware. The setting is set to Off."::: ## FAQ diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md index 3121be77f06..7b1f9991f82 100644 --- a/windows/client-management/declared-configuration-extensibility.md +++ b/windows/client-management/declared-configuration-extensibility.md @@ -1,13 +1,13 @@ --- title: Declared configuration extensibility description: Learn more about declared configuration extensibility through native WMI providers. -ms.date: 09/26/2023 +ms.date: 07/08/2024 ms.topic: how-to --- # Declared configuration extensibility providers -The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties. +The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties. > [!NOTE] > Only string properties are currently supported by extensibility providers. @@ -51,7 +51,7 @@ uint32 SetTargetResource( To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement. -1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource. +1. Create a Managed Object Format (MOF) file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource. 2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool. 3. Edit the required files and include the correct file names and class names. 4. Invoke the provider generator tool to generate the provider's project files. diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md index f655d1ae194..e12a89b7cae 100644 --- a/windows/client-management/declared-configuration.md +++ b/windows/client-management/declared-configuration.md @@ -1,7 +1,7 @@ --- title: Declared configuration protocol description: Learn more about using declared configuration protocol for desired state management of Windows devices. -ms.date: 09/26/2023 +ms.date: 07/08/2024 ms.topic: overview --- diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index c298893a3aa..5f61783f992 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -2,7 +2,7 @@ title: Mobile device management MDM for device updates description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.collection: - highpri - tier2 @@ -25,7 +25,7 @@ In particular, Windows provides APIs to enable MDMs to: - Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. - Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. -This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md). +This article provides independent software publishers (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md). > [!NOTE] > The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). @@ -88,7 +88,7 @@ This section describes a possible algorithm for using the server-server sync pro First some background: -- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants. +- If you have a multitenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants. - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about. - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device. @@ -130,7 +130,7 @@ The following screenshots of the administrator console show the list of update t ### SyncML example -Set auto update to notify and defer. +Set Microsoft AutoUpdate to notify and defer. ```xml diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 612dd076515..cfc52d7c69e 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -2,7 +2,7 @@ title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Disconnecting from the management infrastructure (unenrollment) @@ -22,14 +22,14 @@ During disconnection, the client executes the following tasks: In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device. -This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. +This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment can succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] > The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. -After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. +After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DMClient starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article. @@ -107,15 +107,13 @@ You can only use the Work Access page to unenroll under the following conditions - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. - - ## Unenrollment from Microsoft Entra join When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state. +During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device can get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state. Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation. diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 07e6f430e86..4f0356dff41 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -56,12 +56,11 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Client Management", "contributors_to_exclude": [ "dstrome2", - "rjagiewich", + "rjagiewich", "American-Dipper", - "claydetels19", + "claydetels19", "jborsecnik", "v-stchambers", "shdyas", diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 00618845b9a..db0f36a0855 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -3,7 +3,7 @@ title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). ms.topic: conceptual ms.localizationpriority: medium -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Enable ADMX policies in MDM diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index f9ccd5cc0a7..409c2838217 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -2,7 +2,7 @@ title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.collection: - highpri - tier2 @@ -12,7 +12,7 @@ ms.collection: You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. -The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account. +The group policy created on your local AD triggers enrollment into Intune without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account. **Requirements**: diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index b6e975a1c87..323376d6736 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -2,7 +2,7 @@ title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Enterprise app management @@ -116,7 +116,7 @@ There are two basic types of apps you can deploy: - Store apps. - Enterprise signed apps. -To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. +To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for nonstore app deployment. ### Unlock the device for non-Store apps @@ -154,7 +154,7 @@ Here's an example: ### Unlock the device for developer mode -Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP. +Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of nonpackaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP. AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. @@ -238,8 +238,8 @@ If you purchased an app from the Store for Business, the app license must be dep In the SyncML, you need to specify the following information in the `Exec` command: -- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. -- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. +- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base 64 encoded license download from the Store for Business. +- License Content - This content is specified in the data section. The License Content is the Base 64 encoded blob of the license. Here's an example of an offline license installation. @@ -469,7 +469,7 @@ When an app installation is completed, a Windows notification is sent. You can a - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. + - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean-up action hasn't completed, then this state may briefly appear. - LastError - The last error reported by the app deployment server. - LastErrorDescription - Describes the last error reported by the app deployment server. - Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 970b5917af2..2a289815913 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -3,7 +3,7 @@ title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # How Mobile Device Management Providers support eSIM Management on Windows @@ -28,7 +28,7 @@ If you're a Mobile Device Management (MDM) Provider and want to support eSIM Man - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Operator doesn't have visibility over status of the eSIM profiles - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index ecb42e81608..32b2fef7ef6 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -2,7 +2,7 @@ title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Federated authentication device enrollment @@ -122,7 +122,7 @@ The discovery response is in the XML format and includes the following fields: > [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage is used by the enrollment client as the device security secret during the client certificate enrollment request call. +When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an end page is used by the enrollment client as the device security secret during the client certificate enrollment request call. > [!NOTE] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: @@ -183,7 +183,7 @@ Content-Length: 556 ``` -The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form its just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string. +The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string. The following example shows a response received from the discovery web service that requires authentication via WAB. @@ -367,7 +367,7 @@ The following snippet shows the policy web service response. ## Enrollment web service -This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client. +This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DMClient. The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully. @@ -471,15 +471,15 @@ Similar to the TokenType in the RST, the RSTR uses a custom ValueType in the Bin The provisioning XML contains: - The requested certificates (required) -- The DM client configuration (required) +- The DMClient configuration (required) -The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. +The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DMClient calls back to the server. Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session. When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning. -Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section. +Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies, and app management section. The following example shows the enrollment web service response. diff --git a/windows/client-management/images/8908044-recall.png b/windows/client-management/images/8908044-recall.png new file mode 100644 index 00000000000..92c93c46cb4 Binary files /dev/null and b/windows/client-management/images/8908044-recall.png differ diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index e9c0ab5ecc1..6d2acde09e4 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -2,7 +2,7 @@ title: Support for Windows Information Protection (WIP) on Windows description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Support for Windows Information Protection (WIP) on Windows @@ -11,8 +11,6 @@ Windows Information Protection (WIP) is a lightweight solution for managing comp [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] - - ## Integration with Microsoft Entra ID WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md). @@ -78,7 +76,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr ## Supported CSPs -WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback: +WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list can change later based on customer feedback: - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 860eb04bfe4..4cee76e2bbb 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -10,10 +10,11 @@ metadata: ms.collection: - highpri - tier1 + - essentials-manage author: vinaypamnani-msft ms.author: vinpa manager: aaroncz - ms.date: 01/18/2024 + ms.date: 07/08/2024 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md new file mode 100644 index 00000000000..82a405289c0 --- /dev/null +++ b/windows/client-management/manage-recall.md @@ -0,0 +1,96 @@ +--- +title: Manage Recall for Windows clients +description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features. +ms.topic: how-to +ms.subservice: windows-copilot +ms.date: 06/13/2024 +ms.author: mstewart +author: mestew +ms.collection: + - windows-copilot + - magic-ai-copilot +appliesto: +- ✅ Copilot+ PCs +--- + + +# Manage Recall + +>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c). + +Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language. + +> [!NOTE] +> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs). + +When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files. + +:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png"::: + +## System requirements +Recall has the following minimum system requirements: + +- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) +- 16 GB RAM +- 8 logical processors +- 256 GB storage capacity + - To enable Recall, you need at least 50 GB of space free + - Snapshot capture automatically pauses once the device has less than 25 GB of disk space + +## Supported browsers + +Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include: + +- **Microsoft Edge**: blocks websites and filters private browsing activity +- **Firefox**: blocks websites and filters private browsing activity +- **Opera**: blocks websites and filters private browsing activity +- **Google Chrome**: blocks websites and filters private browsing activity +- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites + + +## Configure policies for Recall + +Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content: + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) | +| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** | + +## Limitations + +In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use. + +## User controlled settings for Recall + +The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page: + +- Website filtering +- App filtering +- Storage allocation + - When the storage limit is reached, the oldest snapshots are deleted first. +- Deleting snapshots + - Delete all snapshots + - Delete snapshots within a specific time frame + + +### Storage allocation + +The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall: + +| Device storage capacity | Storage allocation options for Recall | +|---|---| +| 256 GB | 25 GB (default), 10 GB | +| 512 GB | 75 GB (default), 50 GB, 25 GB | +| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB | + + +## Microsoft's commitment to responsible AI + +Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai). + +Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15). + +## Information for developers + +If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index cc6af7d11fc..a43167be490 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -2,13 +2,13 @@ title: Manage Windows devices in your organization - transitioning to modern management description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.localizationpriority: medium -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.topic: conceptual --- # Manage Windows devices in your organization - transitioning to modern management -Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and users working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization. Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster. @@ -45,13 +45,13 @@ You can use Windows and services like [Microsoft Entra ID](/azure/active-directo You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your users can self-provision their devices: - For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. - Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time users. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + - Likewise, for personal devices, users can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. @@ -71,7 +71,7 @@ As you review the roles in your organization, you can use the following generali ## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, users are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. - **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 8608166976a..46d7c8c8dc6 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -1,11 +1,14 @@ --- title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. -ms.topic: conceptual +ms.topic: how-to ms.subservice: windows-copilot -ms.date: 02/09/2024 +ms.date: 06/13/2024 ms.author: mstewart author: mestew +ms.collection: + - windows-copilot + - magic-ai-copilot appliesto: - ✅ Windows 11, version 22H2 or later --- @@ -15,16 +18,20 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). +> [!Note] +> - This article and the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. + Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat. -> [!Note] -> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. -> - Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. [Learn more](https://www.microsoft.com/windows/copilot-ai-features#faq). ## Configure Copilot in Windows for commercial environments At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: +> [!Note] +> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. +> - Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. [Learn more](https://www.microsoft.com/windows/copilot-ai-features#faq). + 1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) 1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows 1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled @@ -109,10 +116,12 @@ To verify that Copilot with commercial data protection is enabled for the user a 1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Copilot** is enabled for the user. -1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. - - > [!Note] - > If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise) using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users. +1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise), see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users. +1. Copilot with commercial data protection is used as the chat provider platform for users when the following conditions are met: + - Users have an eligible license, commercial data protection in Copilot is enabled, and the [Copilot in Windows user experience is enabled](#enable-the-copilot-in-windows-user-experience-for-windows-11-version-22h2-clients). + - Users are signed in with their Microsoft Entra ID (work accounts) + - Users can sign into Windows with their Microsoft Entra ID + - For Active Directory users on Windows 11, a Microsoft Entra ID in the Web Account Manager (WAM) authentication broker can be used. Entra IDs in Microsoft Edge profiles and Microsoft 365 Apps would both be in WAM. The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled: diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index bc39a4ceb70..0a3b883dcdb 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -2,7 +2,7 @@ title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.collection: - highpri - tier2 @@ -40,7 +40,7 @@ mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zi ### Understanding zip structure -The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub +The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning, and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index 1d2c92bd1f9..5610d29c34b 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -2,7 +2,7 @@ title: Diagnose MDM enrollment failures description: Learn how to diagnose enrollment failures for Windows devices ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Diagnose MDM enrollment diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index c3140fd86d2..f57170b82c2 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -5,12 +5,12 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # MDM enrollment of Windows devices -In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email. +In today's cloud-first world, enterprise IT departments increasingly want to let users use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email. > [!NOTE] > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. @@ -24,8 +24,6 @@ You can connect corporate-owned devices to work by either joining the device to > [!NOTE] > For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md). - - ### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID) All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app. diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 10bd7ebaa11..43e571ecb6e 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -2,7 +2,7 @@ title: Known issues in MDM description: Learn about known issues for Windows devices in MDM ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Known issues @@ -11,11 +11,11 @@ ms.date: 08/10/2023 A Get command inside an atomic command isn't supported. -## Apps installed using WMI classes are not removed +## Apps installed using WMI classes aren't removed Applications installed using WMI classes aren't removed when the MDM account is removed from device. -## Passing CDATA in SyncML does not work +## Passing CDATA in SyncML doesn't work Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work. @@ -222,8 +222,6 @@ Alternatively you can use the following procedure to create an EAP Configuration After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. - - ## User provisioning failure in Microsoft Entra joined devices For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design. @@ -232,6 +230,6 @@ For Microsoft Entra joined devices, provisioning `.\User` resources fails when t If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. -## Device management agent for the push-button reset is not working +## Device management agent for the push-button reset isn't working The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 7b31fe006af..1db4cb2feec 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,12 +1,13 @@ --- title: Mobile Device Management overview description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.topic: conceptual ms.localizationpriority: medium ms.collection: - highpri - tier2 +- essentials-manage --- # Mobile Device Management overview @@ -56,8 +57,6 @@ For information about the MDM policies defined in the Intune security baseline, No. Only one MDM is allowed. - - ### How do I set the maximum number of Microsoft Entra joined devices per user? 1. Sign in to the portal as tenant admin: . diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index f4e01b842cf..3fd4c9a6d5b 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,7 +1,7 @@ --- title: LanguagePackManagement CSP description: Learn more about the LanguagePackManagement CSP. -ms.date: 01/18/2024 +ms.date: 05/20/2024 --- @@ -41,7 +41,7 @@ The following list shows the LanguagePackManagement configuration service provid | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -80,7 +80,7 @@ Language to be installed or being installed. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -120,7 +120,7 @@ Language tag of the language to be installed or being installed. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -169,7 +169,7 @@ Copies the language to the international settings (that is, locale, input layout | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -218,7 +218,7 @@ Enables installations of all available language features when the value is true. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -257,7 +257,7 @@ Error code of queued language installation. 0 if there is no error. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -296,7 +296,7 @@ Execution node to queue a language for installation on the device. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -335,7 +335,7 @@ Status of the language queued for install. 0 - not started; 1 - in progress; 2 - | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -374,7 +374,7 @@ Languages currently installed on the device. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -414,7 +414,7 @@ Language tag of an installed language on the device. Delete to uninstall. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -453,7 +453,7 @@ Numeric representation of the language features installed. Basic Typing - 1 (0x1 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -492,7 +492,7 @@ Numeric representation of how a language is installed. 1 - The system language p | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -531,7 +531,7 @@ Language settings of the device. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index b32ae659dbe..99038f75e01 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,7 +1,7 @@ --- title: ActiveSync DDF file description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 6b5054eb370..8b278625096 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,7 +1,7 @@ --- title: ApplicationControl DDF file description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.18362 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 11f10bf906c..9d1ededd2a6 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,7 +1,7 @@ --- title: AppLocker DDF file description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 85fa624e4af..cc69b6bb5a1 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,7 +1,7 @@ --- title: AssignedAccess CSP description: Learn more about the AssignedAccess CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -11,19 +11,9 @@ ms.date: 01/18/2024 -The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. +The AssignedAccess configuration service provider (CSP) is used to configure a kiosk or restricted user experience. Once the CSP is executed, the next user login that is associated with the Assigned Access profile puts the device into the kiosk mode specified in the CSP configuration. -- For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a single-app kiosk on Windows 10/11](/windows/configuration/kiosk-single-app). -- For a step-by-step guide for configuring multi-app kiosks, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). - -> [!IMPORTANT] -> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. - -> [!WARNING] -> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. - -> [!NOTE] -> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. +To learn more about how to configure Assigned Access, see [Configure kiosks and restricted user experiences](/windows/configuration/assigned-access). @@ -59,20 +49,7 @@ This node accepts an AssignedAccessConfiguration xml as input. -The input XML specifies the settings that you can configure in the kiosk or device. - -In **Windows 10, version 1803** the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. - -In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like `shift+alt+a`, where `shift` and `alt` are the modifiers and `a` is the key. - -In **Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446)**, AssignedAccessConfiguration schema was updated to add StartPins and TaskbarLayout nodes to support pinning apps to the Start Menu and Taskbar respectively. - -- For more information about setting up a multi-app kiosk, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). -- For more information on the schema, see [AssignedAccessConfiguration XSD](#assignedaccessconfiguration-xsd). -- For examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). - -> [!NOTE] -> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout). +To learn how to configure xml file, see [Create an Assigned Access configuration XML file](/windows/configuration/assigned-access/configuration-file) @@ -88,8 +65,6 @@ In **Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/ **Examples**: -For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). - - Get Configuration ```xml @@ -165,8 +140,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu > > This applies to both `domain\user`, `AzureAD\someone@contoso.onmicrosoft.com`, as long as a `\` is used in JSON string. -- For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app). -- For more information about single-app kiosk, see [Set up a single-app kiosk on Windows 10/11.](/windows/configuration/kiosk-single-app) +For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/store/find-aumid). > [!IMPORTANT] > @@ -293,9 +267,8 @@ This node accepts a ShellLauncherConfiguration xml as input. -In **Windows 10, version 1903**, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell. -For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher). +To learn about Shell Launcher, see [What is Shell Launcher?](/windows/configuration/assigned-access/shell-launcher). > [!IMPORTANT] > You can't set both ShellLauncher and KioskModeApp at the same time on the device. @@ -317,193 +290,8 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau -**ShellLauncherConfiguration XSD**: - -> [!NOTE] -> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD. - -- Shell Launcher V1 XSD - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` -- Shell Launcher V2 XSD - - ```xml - - - - - - - - - - - - - - - - ``` +Here's the Shell Launcher XSD reference article: [Shell Launcher XML Schema Definition (XSD)](/windows/configuration/assigned-access/shell-launcher/xsd). **Examples**: @@ -523,160 +311,7 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - -     - ``` - -- Add AutoLogon - - This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. - - > [!NOTE] - > The auto-logon function is designed to be used after OOBE with provisioning packages. - - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - ``` - -- V2 Add - - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ]]> @@ -1026,594 +661,15 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat ## AssignedAccessConfiguration XSD -- Schema for AssignedAccessConfiguration. - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Here's the Assigned Access XSD reference article: [Assigned Access XML Schema Definition (XSD)](/windows/configuration/assigned-access/xsd). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ); - ``` - -- Schema for features introduced in Windows 10, version 1809 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. - - ```xml - - - - - - - - - - - - - - ``` - -- Schema for new features introduced in Windows 10 1809 release. - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` - -- Schema for Windows 10 prerelease. - - ```xml - - - - - - - - - - - - - - - - - - - ``` - -## AssignedAccessConfiguration examples - -> [!NOTE] -> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. -> -> ```xml -> xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" -> xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config" -> > -> -> -> -> -> -> ... -> -> ``` - -- Example XML configuration for a multi-app kiosk for Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446). - - > [!NOTE] - > This example demonstrates the use of StartPins and TaskbarLayout elements. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps). - > - > - StartPins element is used to pin apps to the Start menu and uses the [pinnedList JSON](/windows/configuration/customize-start-menu-layout-windows-11#get-the-pinnedlist-json) format. - > - TaskbarLayout element is used to pin apps to the taskbar and uses the [TaskbarLayoutModification XML](/windows/configuration/customize-taskbar-windows-11#create-the-xml-file) format. - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - ]]> - - - - - - MultiAppKioskUser - - - - - ``` - -- Example XML configuration for a multi-app kiosk for Windows 10. - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - - ``` - -- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. - - ```xml - - - - - - - - - - EdgeKioskUser - - - - - ``` - -- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. - - > [!NOTE] - > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. - - ```xml - - - - - - - - - - - EdgeKioskUser - - - - - ``` - - - -## Windows Holographic for Business edition example - -This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - AzureAD\multiusertest@analogfre.onmicrosoft.com - - - - -``` +For practical examples of Assigned Access configuration files, see [Assigned Access examples](/windows/configuration/assigned-access/examples). ## Handling XML in Configuration XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. -Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you'll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. +Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML. @@ -1638,12 +694,6 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it' <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> <AllAppsList> <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> </AllowedApps> </AllAppsList> @@ -1655,14 +705,6 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it' <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Group1"> <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> @@ -1712,12 +754,6 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it' - - - - - - @@ -1729,10 +765,6 @@ Escape and CDATA are mechanisms used when handling xml in xml. Consider that it' - - - - diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index f5e0e84d265..81d21dbfabc 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,7 +1,7 @@ --- title: AssignedAccess DDF file description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index d9cf189c9a3..647b90ac50b 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -16,13 +16,19 @@ ms.date: 01/18/2024 The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. > [!NOTE] +> To manage BitLocker through CSP except to enable and disable it using the `RequireDeviceEncryption` policy, one of the following licenses must be assigned to your users regardless of your management platform: > -> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. -> - You must send all the settings together in a single SyncML to be effective. +> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). +> - Windows 10/11 Enterprise A3 or A5 (included in Microsoft 365 A3 and A5). A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). + +> [!NOTE] +> +> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. +> - You must send all the settings together in a single SyncML to be effective. @@ -654,7 +660,7 @@ Sample value for this node to enable this policy is: `` **Example**: -To disable this policy, use hte following SyncML: +To disable this policy, use the following SyncML: ```xml diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 5f89c0bace0..51e2260bbaf 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,7 +1,7 @@ --- title: BitLocker DDF file description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the B 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” The format is string. Sample value for this node to enable this policy and set the encryption methods is: - + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. @@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. The format is string. Sample value for this node to enable this policy is: - + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) All of the below settings are for computers with a TPM. @@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: 0 = Empty @@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B require reinstallation of Windows. Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. The format is integer. - The expected values for this policy are: + The expected values for this policy are: 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, @@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. - The expected values for this policy are: + The expected values for this policy are: 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy @@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa * status\RotateRecoveryPasswordsStatus * status\RotateRecoveryPasswordsRequestID - + Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index 34d7637fbe8..b552ae24ad8 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -1,7 +1,7 @@ --- title: CertificateStore DDF file description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index af84e44ec7d..89b0a33e281 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,7 +1,7 @@ --- title: ClientCertificateInstall CSP description: Learn more about the ClientCertificateInstall CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -9,6 +9,8 @@ ms.date: 01/31/2024 # ClientCertificateInstall CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. @@ -38,6 +40,7 @@ The following list shows the ClientCertificateInstall configuration service prov - [ErrorCode](#devicescepuniqueiderrorcode) - [Install](#devicescepuniqueidinstall) - [AADKeyIdentifierList](#devicescepuniqueidinstallaadkeyidentifierlist) + - [AttestPrivateKey](#devicescepuniqueidinstallattestprivatekey) - [CAThumbprint](#devicescepuniqueidinstallcathumbprint) - [Challenge](#devicescepuniqueidinstallchallenge) - [ContainerName](#devicescepuniqueidinstallcontainername) @@ -76,6 +79,7 @@ The following list shows the ClientCertificateInstall configuration service prov - [ErrorCode](#userscepuniqueiderrorcode) - [Install](#userscepuniqueidinstall) - [AADKeyIdentifierList](#userscepuniqueidinstallaadkeyidentifierlist) + - [AttestPrivateKey](#userscepuniqueidinstallattestprivatekey) - [CAThumbprint](#userscepuniqueidinstallcathumbprint) - [Challenge](#userscepuniqueidinstallchallenge) - [ContainerName](#userscepuniqueidinstallcontainername) @@ -828,6 +832,45 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa + +##### Device/SCEP/{UniqueID}/Install/AttestPrivateKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey +``` + + + + +Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Get | + + + + + + + + ##### Device/SCEP/{UniqueID}/Install/CAThumbprint @@ -2402,6 +2445,55 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa + +##### User/SCEP/{UniqueID}/Install/AttestPrivateKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey +``` + + + + +Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Don't attest private key. | +| 1 | Attest key, but in case attestation failed, best effort approach - CSR is sent to the server. | +| 2 | Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server). | + + + + + + + + ##### User/SCEP/{UniqueID}/Install/CAThumbprint diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 7648af9a26c..20bf836b452 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,7 +1,7 @@ --- title: ClientCertificateInstall DDF file description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -72,8 +72,8 @@ The following XML file contains the device description framework (DDF) for the C - Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -143,7 +143,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -169,7 +169,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this - Required. + Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. @@ -227,7 +227,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/ 0 Optional. Used to specify if the PFX certificate password is encrypted with a certificate. -If the value is +If the value is 0 - Password is not encrypted 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. @@ -353,7 +353,7 @@ If the value is - Optional. + Optional. When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -413,7 +413,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the - Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -560,6 +560,46 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat + + AttestPrivateKey + + + + + + Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Do not attest private key + + + 1 + Attest key, but in case attestation failed, best effort approach - CSR is sent to the server + + + 2 + Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server) + + + + SubjectName @@ -596,7 +636,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat 3 - Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. SCEP enrolled cert doesn’t support TPM PIN protection. @@ -640,7 +680,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -725,7 +765,7 @@ The min value is 0 which means no retry. - Required for enrollment. Specify private key length (RSA). + Required for enrollment. Specify private key length (RSA). Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -764,7 +804,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm @@ -845,7 +885,7 @@ For NGC, only SHA256 is supported as the supported algorithm Days - Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -885,7 +925,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -912,7 +952,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -1155,8 +1195,8 @@ Valid values are: - Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -1226,7 +1266,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -1252,7 +1292,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this - Required. + Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. @@ -1310,7 +1350,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/ 0 Optional. Used to specify if the PFX certificate password is encrypted with a certificate. -If the value is +If the value is 0 - Password is not encrypted 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. @@ -1436,7 +1476,7 @@ If the value is - Optional. + Optional. When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -1496,7 +1536,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the - Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -1643,6 +1683,34 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat + + AttestPrivateKey + + + + + + Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + + SubjectName @@ -1679,7 +1747,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat 3 - Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. SCEP enrolled cert doesn’t support TPM PIN protection. @@ -1723,7 +1791,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -1808,7 +1876,7 @@ The min value is 0 which means no retry. - Required for enrollment. Specify private key length (RSA). + Required for enrollment. Specify private key length (RSA). Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -1847,7 +1915,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm @@ -1928,7 +1996,7 @@ For NGC, only SHA256 is supported as the supported algorithm Days - Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -1968,7 +2036,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -1995,7 +2063,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md index 8e70090f67d..400b6557073 100644 --- a/windows/client-management/mdm/clouddesktop-csp.md +++ b/windows/client-management/mdm/clouddesktop-csp.md @@ -1,7 +1,7 @@ --- title: CloudDesktop CSP description: Learn more about the CloudDesktop CSP. -ms.date: 01/18/2024 +ms.date: 06/19/2024 --- @@ -19,17 +19,19 @@ ms.date: 01/18/2024 The following list shows the CloudDesktop configuration service provider nodes: - ./Device/Vendor/MSFT/CloudDesktop - - [BootToCloudPCEnhanced](#boottocloudpcenhanced) - - [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode) + - [BootToCloudPCEnhanced](#deviceboottocloudpcenhanced) + - [EnableBootToCloudSharedPCMode](#deviceenableboottocloudsharedpcmode) +- ./User/Vendor/MSFT/CloudDesktop + - [EnablePhysicalDeviceAccess](#userenablephysicaldeviceaccess) -## BootToCloudPCEnhanced +## Device/BootToCloudPCEnhanced | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | @@ -76,7 +78,7 @@ This node allows to configure different kinds of Boot to Cloud mode. Boot to clo -## EnableBootToCloudSharedPCMode +## Device/EnableBootToCloudSharedPCMode > [!NOTE] > This policy is deprecated and may be removed in a future release. @@ -129,6 +131,55 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to + +## User/EnablePhysicalDeviceAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/CloudDesktop/EnablePhysicalDeviceAccess +``` + + + + +Configuring this node gives access to the physical devices used to boot to Cloud PCs from the Ctrl+Alt+Del page for specified users. This node supports these options: 0. Not enabled 1. Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Access to physical device disabled. | +| true | Access to physical device enabled. | + + + + + + + + ## BootToCloudPCEnhanced technical reference diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md index 60be060ee67..776f55aac68 100644 --- a/windows/client-management/mdm/clouddesktop-ddf-file.md +++ b/windows/client-management/mdm/clouddesktop-ddf-file.md @@ -1,7 +1,7 @@ --- title: CloudDesktop DDF file description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -19,7 +19,7 @@ The following XML file contains the device description framework (DDF) for the C CloudDesktop - ./Device/Vendor/MSFT + ./User/Vendor/MSFT @@ -39,8 +39,71 @@ The following XML file contains the device description framework (DDF) for the C 99.9.99999 - 9.9 - 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;0xD2; + 2.0 + 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD; + + + + EnablePhysicalDeviceAccess + + + + + + + + false + Configuring this node gives access to the physical devices used to boot to Cloud PCs from the Ctrl+Alt+Del page for specified users. This node supports these options: 0. Not enabled 1. Enabled. + + + + + + + + + + Enable access to physical device + + + + + + false + Access to physical device disabled + + + true + Access to physical device enabled + + + + + + + CloudDesktop + ./Device/Vendor/MSFT + + + + + The CloudDesktop configuration service provider is used to configure different Cloud PC related scenarios. + + + + + + + + + + + + + + 10.0.22621.3235 + 1.0 + 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD; @@ -68,8 +131,8 @@ The following XML file contains the device description framework (DDF) for the C - 99.9.99999 - 9.9 + 10.0.22621.3235 + 1.0 diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index dbb6d25b17c..99b94df7495 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: -- [DDF v2 Files, September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip) +- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip) ## DDF v2 schema @@ -575,6 +575,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo You can download the older DDF files for various CSPs from the links below: +- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip) - [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md index 22f6c58926a..07e2e406e67 100644 --- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md +++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md @@ -1,7 +1,7 @@ --- title: DeclaredConfiguration DDF file description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 99.9.99999 9.9 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;     diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index f3477a11328..198570987eb 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,7 +1,7 @@ --- title: Defender CSP description: Learn more about the Defender CSP. -ms.date: 01/31/2024 +ms.date: 06/21/2024 --- @@ -33,6 +33,9 @@ The following list shows the Defender configuration service provider nodes: - [BruteForceProtectionConfiguredState](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionconfiguredstate) - [BruteForceProtectionExclusions](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionexclusions) - [BruteForceProtectionMaxBlockTime](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionmaxblocktime) + - [BruteForceProtectionPlugins](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionplugins) + - [BruteForceProtectionLocalNetworkBlocking](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionpluginsbruteforceprotectionlocalnetworkblocking) + - [BruteForceProtectionSkipLearningPeriod](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionpluginsbruteforceprotectionskiplearningperiod) - [RemoteEncryptionProtection](#configurationbehavioralnetworkblocksremoteencryptionprotection) - [RemoteEncryptionProtectionAggressiveness](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionaggressiveness) - [RemoteEncryptionProtectionConfiguredState](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionconfiguredstate) @@ -53,6 +56,8 @@ The following list shows the Defender configuration service provider nodes: - [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata) - [DeviceControlEnabled](#configurationdevicecontrolenabled) - [DisableCacheMaintenance](#configurationdisablecachemaintenance) + - [DisableCoreServiceECSIntegration](#configurationdisablecoreserviceecsintegration) + - [DisableCoreServiceTelemetry](#configurationdisablecoreservicetelemetry) - [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans) - [DisableDatagramProcessing](#configurationdisabledatagramprocessing) - [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing) @@ -71,6 +76,8 @@ The following list shows the Defender configuration service provider nodes: - [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock) - [EnableDnsSinkhole](#configurationenablednssinkhole) - [EnableFileHashComputation](#configurationenablefilehashcomputation) + - [EnableUdpReceiveOffload](#configurationenableudpreceiveoffload) + - [EnableUdpSegmentationOffload](#configurationenableudpsegmentationoffload) - [EngineUpdatesChannel](#configurationengineupdateschannel) - [ExcludedIpAddresses](#configurationexcludedipaddresses) - [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins) @@ -748,6 +755,142 @@ Set the maximum time an IP address is blocked by Brute-Force Protection. After t + +##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +###### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking +``` + + + + +Extend brute-force protection coverage in Microsoft Defender Antivirus to block local network addresses. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Brute-force protection won't block local network addresses. | +| 1 | Brute-force protection will block local network addresses. | + + + + + + + + + +###### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod +``` + + + + +Skip the 2-week initial learning period, so brute-force protection in Microsoft Defender Antivirus can start blocking immediately. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Brute-force protection blocks threats only after completing a 2-week learning period. | +| 1 | Brute-force protection starts blocking threats immediately. | + + + + + + + + #### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection @@ -1585,6 +1728,104 @@ Defines whether the cache maintenance idle task will perform the cache maintenan + +### Configuration/DisableCoreServiceECSIntegration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceECSIntegration +``` + + + + +Turn off ECS integration for Defender core service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0x0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 (Default) | The Defender core service will use the Experimentation and Configuration Service (ECS) to rapidly deliver critical, org-specific fixes. | +| 0x1 | The Defender core service stops using the Experimentation and Configuration Service (ECS). Fixes will continue to be delivered through security intelligence updates. | + + + + + + + + + +### Configuration/DisableCoreServiceTelemetry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceTelemetry +``` + + + + +Turn off OneDsCollector telemetry for Defender core service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0x0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 (Default) | The Defender core service will use the OneDsCollector framework to rapidly collect telemetry. | +| 0x1 | The Defender core service stops using the OneDsCollector framework to rapidly collect telemetry, impacting Microsoft's ability to quickly recognize and address poor performance, false positives, and other problems. | + + + + + + + + ### Configuration/DisableCpuThrottleOnIdleScans @@ -2372,6 +2613,9 @@ This setting controls whether network protection blocks network traffic instead ### Configuration/EnableDnsSinkhole +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + | Scope | Editions | Applicable OS | |:--|:--|:--| @@ -2467,6 +2711,104 @@ Enables or disables file hash computation feature. When this feature is enabled + +### Configuration/EnableUdpReceiveOffload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableUdpReceiveOffload +``` + + + + +This setting enables Udp Receive Offload Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Udp Receive Offload is disabled. | +| 1 | Udp Receive Offload is enabled. | + + + + + + + + + +### Configuration/EnableUdpSegmentationOffload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableUdpSegmentationOffload +``` + + + + +This setting enables Udp Segmentation Offload Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Udp Segmentation Offload is disabled. | +| 1 | Udp Segmentation Offload is enabled. | + + + + + + + + ### Configuration/EngineUpdatesChannel diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 2e65444a0f2..f286ba947c9 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,7 +1,7 @@ --- title: Defender DDF file description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -1755,6 +1755,7 @@ The following XML file contains the device description framework (DDF) for the D DNS Sinkhole is enabled +     @@ -2721,6 +2722,84 @@ The following XML file contains the device description framework (DDF) for the D + + DisableCoreServiceECSIntegration + + + + + + + + 0x0 + Turn off ECS integration for Defender core service + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0x0 + The Defender core service will use the Experimentation and Configuration Service (ECS) to rapidly deliver critical, org-specific fixes. + + + 0x1 + The Defender core service stops using the Experimentation and Configuration Service (ECS). Fixes will continue to be delivered through security intelligence updates. + + + + + + DisableCoreServiceTelemetry + + + + + + + + 0x0 + Turn off OneDsCollector telemetry for Defender core service + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0x0 + The Defender core service will use the OneDsCollector framework to rapidly collect telemetry. + + + 0x1 + The Defender core service stops using the OneDsCollector framework to rapidly collect telemetry, impacting Microsoft's ability to quickly recognize and address poor performance, false positives, and other problems. + + + + IntelTDTEnabled @@ -2881,6 +2960,84 @@ The following XML file contains the device description framework (DDF) for the D + + EnableUdpSegmentationOffload + + + + + + + + 0 + This setting enables Udp Segmentation Offload Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Udp Segmentation Offload is disabled + + + 1 + Udp Segmentation Offload is enabled + + + + + + EnableUdpReceiveOffload + + + + + + + + 0 + This setting enables Udp Receive Offload Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Udp Receive Offload is disabled + + + 1 + Udp Receive Offload is enabled + + + + AllowSwitchToAsyncInspection @@ -3439,6 +3596,104 @@ The following XML file contains the device description framework (DDF) for the D + + BruteForceProtectionPlugins + + + + + + + + + + + + + + + + + + + BruteForceProtectionLocalNetworkBlocking + + + + + + + + 0 + Extend brute-force protection coverage in Microsoft Defender Antivirus to block local network addresses. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + 0 + Brute-force protection will not block local network addresses + + + 1 + Brute-force protection will block local network addresses + + + + + + BruteForceProtectionSkipLearningPeriod + + + + + + + + 0 + Skip the 2-week initial learning period, so brute-force protection in Microsoft Defender Antivirus can start blocking immediately. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + 0 + Brute-force protection blocks threats only after completing a 2-week learning period + + + 1 + Brute-force protection starts blocking threats immediately + + + + + BruteForceProtectionExclusions diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index d51d3417ab2..c7b1a084705 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevDetail DDF file description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index e8d4b8243db..4769870f2a3 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceManageability DDF file description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index fee0e44a1b5..b93cdfd1643 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -1,7 +1,7 @@ --- title: DevicePreparation CSP description: Learn more about the DevicePreparation CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -184,6 +184,15 @@ This node indicates whether the MDM agent was installed or not. When set to true | Default Value | False | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Mdm Agent Not Installed. | +| true | Mdm Agent Installed. | + + @@ -263,6 +272,15 @@ This node indicates whether an MDM policy was provisioned that requires a reboot | Default Value | False | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | No Reboot Required. | +| true | Reboot Required. | + + @@ -303,6 +321,15 @@ This node determines whether to show the Device Preparation page during OOBE. | Default Value | false | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Page. | +| true | Enable Page. | + + diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index cdccc959341..903c08866d4 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevicePreparation DDF file description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -64,6 +64,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + Disable Page + + + true + Enable Page + + @@ -320,6 +330,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + Mdm Agent Not Installed + + + true + Mdm Agent Installed + + @@ -342,6 +362,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + No Reboot Required + + + true + Reboot Required + + diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 5ddde61818a..0e022050076 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceStatus DDF file description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 37290dd8caf..a57636514a9 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevInfo DDF file description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -41,7 +41,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 4b7a1160206..03887d47c35 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,7 +1,7 @@ --- title: DiagnosticLog DDF file description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 28cbe9c4f01..271a68b16e5 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,7 +1,7 @@ --- title: DMAcc CSP description: Learn more about the DMAcc CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -709,7 +709,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get, Replace | -| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel`
    Dependency Allowed Value: `SRVCRED`
    Dependency Allowed Value Type: `ENUM`
    | +| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
    Dependency URI: `SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel`
    Dependency Allowed Value: `SRVCRED`
    Dependency Allowed Value Type: `ENUM`
    | diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 96ba92429a4..15fc5f32313 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,7 +1,7 @@ --- title: DMAcc DDF file description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -527,7 +527,7 @@ The following XML file contains the device description framework (DDF) for the D - Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel + SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel SRVCRED diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 535eaf637a3..6011d8d1628 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,7 +1,7 @@ --- title: DMClient CSP description: Learn more about the DMClient CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -632,7 +632,7 @@ This node, when it's set, tells the client to set how many minutes the device sh | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3235] and later
    ✅ Windows Insider Preview | @@ -671,7 +671,7 @@ Parent node for ConfigRefresh nodes. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3235] and later
    ✅ Windows Insider Preview | @@ -712,7 +712,7 @@ This node determines the number of minutes between refreshes. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3235] and later
    ✅ Windows Insider Preview | @@ -745,8 +745,8 @@ This node determines whether or not a periodic settings refresh for MDM policies | Value | Description | |:--|:--| -| true | ConfigRefresh is enabled. | -| false (Default) | ConfigRefresh is disabled. | +| true | Enabled. | +| false (Default) | Disabled. | @@ -761,7 +761,7 @@ This node determines whether or not a periodic settings refresh for MDM policies | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3235] and later
    ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 64dd766397b..b82d0fe21b6 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,7 +1,7 @@ --- title: DMClient DDF file description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -477,7 +477,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -2958,7 +2958,7 @@ The following XML file contains the device description framework (DDF) for the D - 99.9.99999 + 99.9.99999, 10.0.22621.3235, 10.0.22000.2836 1.6 @@ -2988,11 +2988,11 @@ The following XML file contains the device description framework (DDF) for the D true - ConfigRefresh is enabled. + Enabled false - ConfigRefresh is disabled. + Disabled LastWrite diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 2b9763c045f..144f69b17d8 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,7 +1,7 @@ --- title: EMAIL2 DDF file description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 4c2b45f8d4a..e0331f74f75 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,7 +1,7 @@ --- title: EnterpriseDesktopAppManagement CSP description: Learn more about the EnterpriseDesktopAppManagement CSP. -ms.date: 01/18/2024 +ms.date: 05/20/2024 --- @@ -172,7 +172,7 @@ For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-sche | Property name | Property value | |:--|:--| | Format | `xml` | -| Access Type | Add, Delete, Exec, Get | +| Access Type | Add, Delete, Exec, Get, Replace | @@ -695,7 +695,7 @@ For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-sche | Property name | Property value | |:--|:--| | Format | `xml` | -| Access Type | Add, Delete, Exec, Get | +| Access Type | Add, Delete, Exec, Get, Replace | diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 3392fcb3176..ba537d72e7c 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -1,7 +1,7 @@ --- title: EnterpriseDesktopAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -225,6 +225,7 @@ The following XML file contains the device description framework (DDF) for the E + was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]> @@ -585,6 +586,7 @@ The following XML file contains the device description framework (DDF) for the E + was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]> diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 4369995a2eb..831a924dde1 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,7 +1,7 @@ --- title: EnterpriseModernAppManagement CSP description: Learn more about the EnterpriseModernAppManagement CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -4602,7 +4602,7 @@ Specifies HoursBetweenUpdateChecks for a specific package. | Property name | Property value | |:--|:--| -| Format | `bool` | +| Format | `int` | | Access Type | Get, Replace | | Allowed Values | Range: `[8-10000]` | | Default Value | 8 | diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 6afb253277f..e3199dc618e 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,7 +1,7 @@ --- title: EnterpriseModernAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -4550,7 +4550,7 @@ The following XML file contains the device description framework (DDF) for the E 8 Specifies HoursBetweenUpdateChecks for a specific package - + diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 62059a7c7d9..6a148a8d227 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,7 +1,7 @@ --- title: eUICCs DDF file description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 53b060e0f50..549c2cbc81f 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,7 +1,7 @@ --- title: Firewall CSP description: Learn more about the Firewall CSP. -ms.date: 01/18/2024 +ms.date: 06/21/2024 --- @@ -9,8 +9,6 @@ ms.date: 01/18/2024 # Firewall CSP -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. @@ -3465,7 +3463,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -3805,7 +3803,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -3954,7 +3952,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -3992,7 +3990,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4042,7 +4040,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4092,7 +4090,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4142,7 +4140,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4289,7 +4287,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4327,7 +4325,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4377,7 +4375,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4427,7 +4425,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4477,7 +4475,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4526,7 +4524,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4564,7 +4562,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4614,7 +4612,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4664,7 +4662,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | @@ -4714,7 +4712,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
    ✅ Windows Insider Preview [10.0.25398] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25398] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2352] and later | diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 580516ab560..e48568b2b5c 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,7 +1,7 @@ --- title: Firewall DDF file description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the F 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -4337,6 +4337,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index d68e4952d20..0c9d3828727 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,7 +1,7 @@ --- title: HealthAttestation DDF file description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md index d2589cc4a87..3739f4f1424 100644 --- a/windows/client-management/mdm/language-pack-management-ddf-file.md +++ b/windows/client-management/mdm/language-pack-management-ddf-file.md @@ -1,7 +1,7 @@ --- title: LanguagePackManagement DDF file description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the L 99.9.9999 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index 1d92425031a..0e5e7d5b2d6 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -1,7 +1,7 @@ --- title: LAPS CSP description: Learn more about the LAPS CSP. -ms.date: 01/31/2024 +ms.date: 06/21/2024 --- @@ -55,7 +55,7 @@ The following list shows the LAPS configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -94,7 +94,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -134,7 +134,7 @@ This action invokes an immediate reset of the local administrator account passwo | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -179,7 +179,7 @@ The value returned is an HRESULT code: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -219,7 +219,7 @@ Root node for LAPS policies. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -269,7 +269,7 @@ This setting has a maximum allowed value of 12 passwords. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -314,7 +314,7 @@ Note if a custom managed local administrator account name is specified in this s | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -376,7 +376,7 @@ If not specified, this setting defaults to True. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -432,7 +432,7 @@ If the specified user or group account is invalid the device will fallback to us | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -488,7 +488,7 @@ If not specified, this setting defaults to False. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -543,7 +543,7 @@ If not specified, this setting defaults to False. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -587,7 +587,7 @@ If not specified, this setting will default to "WLapsAdmin". | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -643,7 +643,7 @@ If not specified, this setting defaults to False. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -701,7 +701,7 @@ If not specified, this setting will default to 1. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -759,7 +759,7 @@ If not specified, this setting will default to 0. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -807,7 +807,7 @@ This setting has a maximum allowed value of 10 words. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -855,7 +855,7 @@ This setting has a maximum allowed value of 365 days. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -927,7 +927,7 @@ Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrase | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -983,7 +983,7 @@ If not specified, this setting defaults to True. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -1031,7 +1031,7 @@ This setting has a maximum allowed value of 64 characters. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -1089,7 +1089,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later
    ✅ Windows Insider Preview [10.0.25145] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.1663] and later
    ✅ [10.0.25145] and later
    ✅ Windows 10, version 1809 [10.0.17763.4244] and later
    ✅ Windows 10, version 2004 [10.0.19041.2784] and later
    ✅ Windows 11, version 21H2 [10.0.22000.1754] and later
    ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md index d347e573747..5d06e470a6c 100644 --- a/windows/client-management/mdm/laps-ddf-file.md +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -1,7 +1,7 @@ --- title: LAPS DDF file description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the L 10.0.25145, 10.0.22621.1480, 10.0.22000.1754, 10.0.20348.1663, 10.0.19041.2784, 10.0.17763.4244 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index a7ee14b7abf..44489017985 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,7 +1,7 @@ --- title: NetworkProxy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 16220bc01f2..04b4528ac6a 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,7 +1,7 @@ --- title: NetworkQoSPolicy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.19042 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 0dd13ab94a9..4d442904e42 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,7 +1,7 @@ --- title: NodeCache DDF file description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.1 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -294,7 +294,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 1453b24f559..e36405ce71a 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -1,7 +1,7 @@ --- title: Office DDF file description: View the XML file containing the device description framework (DDF) for the Office configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 6c581a73352..fe7da7ac06a 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -1,7 +1,7 @@ --- title: PassportForWork CSP description: Learn more about the PassportForWork CSP. -ms.date: 01/18/2024 +ms.date: 06/21/2024 --- @@ -25,7 +25,6 @@ The following list shows the PassportForWork configuration service provider node - ./Device/Vendor/MSFT/PassportForWork - [{TenantId}](#devicetenantid) - [Policies](#devicetenantidpolicies) - - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching) - [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning) - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery) - [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys) @@ -158,62 +157,13 @@ Root node for policies. - -#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching -``` - - - - -Disable caching of the Windows Hello for Business credential after sign-in. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `bool` | -| Access Type | Add, Delete, Get, Replace | -| Default Value | False | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| false (Default) | Disabled. | -| true | Enabled. | - - - - - - - - #### Device/{TenantId}/Policies/DisablePostLogonProvisioning | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2402] and later
    ✅ Windows 10, version 2004 [10.0.19041.4239] and later
    ✅ Windows 11, version 21H2 [10.0.22000.2899] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3374] and later
    ✅ Windows Insider Preview | @@ -246,8 +196,8 @@ Don't start Windows Hello provisioning after sign-in. | Value | Description | |:--|:--| -| false (Default) | Post Logon Provisioning Enabled. | -| true | Post Logon Provisioning Disabled. | +| false (Default) | Provisioning Enabled. | +| true | Provisioning Disabled. | diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 92e080ba932..c94b22aed5b 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,7 +1,7 @@ --- title: PassportForWork DDF file description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -565,7 +565,7 @@ If you do not configure this policy setting, Windows Hello for Business requires 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -870,56 +870,17 @@ If you disable or do not configure this policy setting, the PIN recovery secret - 99.9.99999 - 1.6 - - - - false - Post Logon Provisioning Enabled - - - true - Post Logon Provisioning Disabled - - - - - - DisablePostLogonCredentialCaching - - - - - - - - False - Disable caching of the Windows Hello for Business credential after sign-in. - - - - - - - - - - - - - - 99.9.99999 + 99.9.99999, 10.0.22621.3374, 10.0.22000.2899, 10.0.20348.2402, 10.0.19041.4239 1.6 false - Disabled + Provisioning Enabled true - Enabled + Provisioning Disabled @@ -934,7 +895,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret False - Windows Hello for Business can use certificates to authenticate to on-premise resources. + Windows Hello for Business can use certificates to authenticate to on-premise resources. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 8cd2a709196..165f97507c4 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -1,7 +1,7 @@ --- title: PDE DDF file description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 70775b2f69a..d455b2968ae 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,7 +1,7 @@ --- title: Personalization CSP description: Learn more about the Personalization CSP. -ms.date: 01/31/2024 +ms.date: 06/21/2024 --- @@ -9,14 +9,12 @@ ms.date: 01/31/2024 # Personalization CSP -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. > [!IMPORTANT] -> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced). +> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#deviceboottocloudpcenhanced). @@ -38,7 +36,7 @@ The following list shows the Personalization configuration service provider node | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | @@ -77,7 +75,7 @@ This represents the status of the Company Logo. 1 - Successfully downloaded or c | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | @@ -116,7 +114,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 07040a68511..5a52a167846 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,7 +1,7 @@ --- title: Personalization DDF file description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -101,7 +101,7 @@ The following XML file contains the device description framework (DDF) for the P - A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. + A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. @@ -148,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the P - A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only. + A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only. @@ -162,7 +162,7 @@ The following XML file contains the device description framework (DDF) for the P - 99.9.99999 + 10.0.22621.3235 2.0 @@ -189,7 +189,7 @@ The following XML file contains the device description framework (DDF) for the P - 99.9.99999 + 10.0.22621.3235 2.0 @@ -217,7 +217,7 @@ The following XML file contains the device description framework (DDF) for the P - 99.9.99999 + 10.0.22621.3235 2.0 diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 254cb8d7aa0..3c0d28e2e60 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,7 +1,7 @@ --- title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -539,8 +539,6 @@ This article lists the ADMX-backed policies in Policy CSP. - [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) - [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) - [DisableHHDEP](policy-csp-admx-help.md) -- [AllowChildProcesses](policy-csp-admx-help.md) -- [HideChildProcessMessageBox](policy-csp-admx-help.md) ## ADMX_HelpAndSupport @@ -1945,6 +1943,7 @@ This article lists the ADMX-backed policies in Policy CSP. - [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) - [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) - [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) +- [DisableMotWOnInsecurePathCopy](policy-csp-admx-windowsexplorer.md) - [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) - [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) - [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) @@ -2212,6 +2211,7 @@ This article lists the ADMX-backed policies in Policy CSP. - [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) - [DisableInternetExplorerApp](policy-csp-internetexplorer.md) - [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [AllowLegacyURLFields](policy-csp-internetexplorer.md) - [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) - [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) - [JScriptReplacement](policy-csp-internetexplorer.md) @@ -2537,8 +2537,9 @@ This article lists the ADMX-backed policies in Policy CSP. - [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) - [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) - [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) -- [DisconnectOnLockBasicAuthn](policy-csp-remotedesktopservices.md) -- [DisconnectOnLockWebAccountAuthn](policy-csp-remotedesktopservices.md) +- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md) +- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md) +- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md) ## RemoteManagement @@ -2590,10 +2591,6 @@ This article lists the ADMX-backed policies in Policy CSP. - [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) - [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) -## Sudo - -- [EnableSudo](policy-csp-sudo.md) - ## System - [BootStartDriverInitialization](policy-csp-system.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 40ec4c37e3c..a9bd1aa0ed0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -530,6 +530,10 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md) - [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md) - [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGenerativeAI](policy-csp-privacy.md) +- [LetAppsAccessGenerativeAI_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGenerativeAI_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGenerativeAI_UserInControlOfTheseApps](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md) @@ -659,6 +663,10 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) - [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) +## Sudo + +- [EnableSudo](policy-csp-sudo.md) + ## System - [AllowTelemetry](policy-csp-system.md) @@ -801,6 +809,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) - [AllowOptionalContent](policy-csp-update.md) +- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md) ## UserRights diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 8a1244f15d1..c0c0fd25883 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -39,6 +39,10 @@ ms.date: 02/03/2023 - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) 10 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10 +- [Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys) 12 +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md#allowinstallationofmatchingdeviceids) 12 +- [DeviceInstallation/DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md#deviceinstall_removable_deny) 12 +- [DeviceInstallation/EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md#enableinstallationpolicylayering) 12 - [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) - [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) - [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) @@ -59,12 +63,18 @@ ms.date: 02/03/2023 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 +- [MixedReality/EnableStartMenuWristTap](./policy-csp-mixedreality.md#enablestartmenuwristtap)12 +- [MixedReality/EnableStartMenuSingleHandGesture](./policy-csp-mixedreality.md#enablestartmenusinglehandgesture) 12 +- [MixedReality/EnableStartMenuVoiceCommand](./policy-csp-mixedreality.md#enablestartmenuvoicecommand) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 - [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 +- [MixedReality/PreferLogonAsOtherUser](./policy-csp-mixedreality.md#preferlogonasotheruser) 12 - [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#skipcalibrationduringsetup) 12 - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 +- [MixedReality/RequireStartIconHold](./policy-csp-mixedreality.md#requirestarticonhold) 12 +- [MixedReality/RequireStartIconVisible](./policy-csp-mixedreality.md#requirestarticonvisible) 12 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9, 14 @@ -91,9 +101,9 @@ ms.date: 02/03/2023 - [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 - [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) -- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 -- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 -- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesslocation_forceallowtheseapps) 12 +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesslocation_forcedenytheseapps) 12 +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesslocation_userincontroloftheseapps) 12 - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 @@ -113,8 +123,8 @@ ms.date: 02/03/2023 - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) -- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) 12 -- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) 12 +- [System/ConfigureTelemetryOptInSettingsUx](policy-csp-system.md#configuretelemetryoptinsettingsux) 12 +- [System/DisableDeviceDelete](policy-csp-system.md#disabledevicedelete) 12 - [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 - [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 - [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 @@ -165,6 +175,3 @@ Footnotes: [Policy CSP](policy-configuration-service-provider.md) [Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support) - - - diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 17bb6fddc66..a51aba58510 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Windows 10 Team description: Learn about the policies in Policy CSP supported by Windows 10 Team. -ms.date: 01/18/2024 +ms.date: 06/19/2024 --- @@ -315,6 +315,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac - [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent) - [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol) - [AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes) - [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel) - [ConfigureFeatureUpdateUninstallPeriod](policy-csp-update.md#configurefeatureupdateuninstallperiod) - [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index efc7033c36a..7aa96cc52c8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,7 +1,7 @@ --- title: Policy CSP description: Learn more about the Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 0c304bbebba..05e84c1ade0 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,7 +1,7 @@ --- title: AboveLock Policy CSP description: Learn more about the AboveLock Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -22,7 +22,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index ee3e45f1c61..b51b3ad8ab5 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,7 +1,7 @@ --- title: ADMX_Help Policy CSP description: Learn more about the ADMX_Help Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -11,62 +11,10 @@ ms.date: 01/31/2024 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - - -## AllowChildProcesses - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Help/AllowChildProcesses -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `chr` (string) | -| Access Type | Add, Delete, Get, Replace | - - - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AllowChildProcesses | -| ADMX File Name | Help.admx | - - - - - - - - ## DisableHHDEP @@ -200,56 +148,6 @@ For additional options, see the "Restrict these programs from being launched fro - -## HideChildProcessMessageBox - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HideChildProcessMessageBox -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `chr` (string) | -| Access Type | Add, Delete, Get, Replace | - - - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | HideChildProcessMessageBox | -| ADMX File Name | Help.admx | - - - - - - - - ## RestrictRunFromHelp diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 0a223d43d08..387bcff31c3 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,7 +1,7 @@ --- title: ADMX_StartMenu Policy CSP description: Learn more about the ADMX_StartMenu Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -3577,7 +3577,7 @@ This policy setting allows you to remove links and access to Windows Update. - If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. -Enabling this policy setting blocks user access to the Windows Update Web site at< https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. +Enabling this policy setting blocks user access to the Windows Update Web site at `https://windowsupdate.microsoft.com`. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 0b5853336ac..42757e235ef 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,7 +1,7 @@ --- title: ADMX_TerminalServer Policy CSP description: Learn more about the ADMX_TerminalServer Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 7fe9bd96795..aa8dc357335 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,7 +1,7 @@ --- title: ADMX_WindowsExplorer Policy CSP description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -456,6 +456,56 @@ You can specify a known folder using its known folder id or using its canonical + +## DisableMotWOnInsecurePathCopy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
    ✅ Windows 10, version 2009 [10.0.19042.1202] and later
    ✅ Windows 10, version 21H1 [10.0.19043.1202] and later
    ✅ Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableMotWOnInsecurePathCopy +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableMotWOnInsecurePathCopy | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## DisableSearchBoxSuggestions diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index ad9da6b96b0..aaadbfb0856 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,7 +1,7 @@ --- title: ADMX_WindowsStore Policy CSP description: Learn more about the ADMX_WindowsStore Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 07/08/2024 --- @@ -200,7 +200,7 @@ Enables or disables the Store offer to update to the latest version of Windows. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ❌ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
    ✅ Windows 10, version 2009 [10.0.19042.1202] and later
    ✅ Windows 10, version 21H1 [10.0.19043.1202] and later
    ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ❌ Device
    ✅ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
    ✅ Windows 10, version 2009 [10.0.19042.1202] and later
    ✅ Windows 10, version 21H1 [10.0.19043.1202] and later
    ✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -220,8 +220,6 @@ Denies or allows access to the Store application. -> [!NOTE] -> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). @@ -261,7 +259,7 @@ Denies or allows access to the Store application. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
    ✅ Windows 10, version 2009 [10.0.19042.1202] and later
    ✅ Windows 10, version 21H1 [10.0.19043.1202] and later
    ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
    ✅ Windows 10, version 2009 [10.0.19042.1202] and later
    ✅ Windows 10, version 21H1 [10.0.19043.1202] and later
    ✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -281,8 +279,6 @@ Denies or allows access to the Store application. -> [!NOTE] -> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index ba4fc8b016c..7b1698c4628 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,7 +1,7 @@ --- title: ApplicationManagement Policy CSP description: Learn more about the ApplicationManagement Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -428,7 +428,7 @@ Manages a Windows app's ability to share data between users who have installed t | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -480,7 +480,7 @@ This policy is deprecated. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 08315383915..88527a21f76 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,7 +1,7 @@ --- title: Browser Policy CSP description: Learn more about the Browser Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -178,7 +178,7 @@ To verify AllowAutofill is set to 0 (not allowed): | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ✅ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -2713,7 +2713,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
    ✅ User | ❌ Pro
    ❌ Enterprise
    ❌ Education
    ❌ Windows SE
    ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 26b96531e84..1a15adf8c00 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,7 +1,7 @@ --- title: Connectivity Policy CSP description: Learn more about the Connectivity Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -252,7 +252,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -375,7 +375,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ❌ Enterprise
    ❌ Education
    ❌ Windows SE
    ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index ba4d3d7bde6..a790f24a264 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,7 +1,7 @@ --- title: Defender Policy CSP description: Learn more about the Defender Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -402,7 +402,7 @@ This policy setting allows you to manage whether or not to scan for malicious so |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | +| Default Value | 0 | @@ -410,8 +410,8 @@ This policy setting allows you to manage whether or not to scan for malicious so | Value | Description | |:--|:--| -| 0 | Not allowed. Turns off scanning on removable drives. | -| 1 (Default) | Allowed. Scans removable drives. | +| 0 (Default) | Not allowed. Turns off scanning on removable drives. | +| 1 | Allowed. Scans removable drives. | diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index f9f05c2927b..6e3f949a365 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,7 +1,7 @@ --- title: DeliveryOptimization Policy CSP description: Learn more about the DeliveryOptimization Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/19/2024 --- @@ -1500,20 +1500,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts - -Set this policy to restrict peer selection via selected option. - -Options available are: - -0 = NAT. - -1 = Subnet mask. - -2 = Local discovery (DNS-SD). - -The default value has changed from 0 (no restriction) to 1 (restrict to the subnet). - -These options apply to both Download Mode LAN (1) and Group (2). + +Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2). diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 649a6dada2a..fbc47a783d7 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,7 +1,7 @@ --- title: DeviceLock Policy CSP description: Learn more about the DeviceLock Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -114,7 +114,7 @@ Allow Administrator account lockout This security setting determines whether the | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ❌ Enterprise
    ❌ Education
    ❌ Windows SE
    ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -429,6 +429,10 @@ Specifies whether device lock is enabled. > - DevicePasswordHistory > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock + +> [!NOTE] +> DevicePasswordExpiration isn't supported through MDMWinsOverGP. + @@ -782,7 +786,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ❌ Enterprise
    ❌ Education
    ❌ Windows SE
    ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f7ecf4bf2a7..3bc6e9af568 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,7 +1,7 @@ --- title: Experience Policy CSP description: Learn more about the Experience Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -100,7 +100,7 @@ Policy change takes effect immediately. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -833,7 +833,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -949,7 +949,7 @@ Specifies whether to allow app and content suggestions from third-party software | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -1887,7 +1887,7 @@ _**Turn syncing off by default but don’t disable**_ | Scope | Editions | Applicable OS | |:--|:--|:--| -| ❌ Device
    ✅ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ❌ Device
    ✅ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ❌ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.900] and later
    ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index a6efb038f93..61083dafc69 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,7 +1,7 @@ --- title: InternetExplorer Policy CSP description: Learn more about the InternetExplorer Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/21/2024 --- @@ -985,6 +985,60 @@ Note. It's recommended to configure template policy settings in one Group Policy + +## AllowLegacyURLFields + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLegacyURLFields +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowLegacyURLFields | +| ADMX File Name | inetres.admx | + + + + + + + + ## AllowLocalMachineZoneTemplate @@ -7718,7 +7772,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
    ✅ [10.0.25398.643] and later
    ✅ [10.0.25965] and later
    ✅ Windows 10, version 2004 [10.0.19041.3758] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2792] and later | @@ -8793,7 +8847,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
    ✅ [10.0.25398.643] and later
    ✅ [10.0.25965] and later
    ✅ Windows 10, version 2004 [10.0.19041.3758] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2792] and later | @@ -17364,7 +17418,7 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2227] and later
    ✅ [10.0.25398.643] and later
    ✅ [10.0.25965] and later
    ✅ Windows 10, version 2004 [10.0.19041.3758] and later
    ✅ Windows 11, version 22H2 [10.0.22621.2792] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 5094419e311..ade6bf6cb1c 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy Policy CSP description: Learn more about the Privacy Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -9,8 +9,6 @@ ms.date: 01/18/2024 # Policy CSP - Privacy -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - @@ -2400,6 +2398,207 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use + +## LetAppsAccessGenerativeAI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI +``` + + + + +This policy setting specifies whether Windows apps can use generative AI features of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGenerativeAI | +| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy | +| Element Name | LetAppsAccessGenerativeAI_Enum | + + + + + + + + + +## LetAppsAccessGenerativeAI_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGenerativeAI | +| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy | +| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List | + + + + + + + + + +## LetAppsAccessGenerativeAI_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGenerativeAI | +| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy | +| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List | + + + + + + + + + +## LetAppsAccessGenerativeAI_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGenerativeAI | +| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy | +| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List | + + + + + + + + ## LetAppsAccessGraphicsCaptureProgrammatic @@ -2929,7 +3128,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later | @@ -3005,7 +3204,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later | @@ -3070,7 +3269,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later | @@ -3135,7 +3334,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25000] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.25000] and later | diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 2e7833047e4..4e865bd15fe 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,7 +1,7 @@ --- title: RemoteDesktopServices Policy CSP description: Learn more about the RemoteDesktopServices Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -150,39 +150,39 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp - -## DisconnectOnLockBasicAuthn + +## DisconnectOnLockLegacyAuthn - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockBasicAuthn +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockLegacyAuthn ``` - + - + - + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | - + - + [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] @@ -192,47 +192,47 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp |:--|:--| | Name | TS_DISCONNECT_ON_LOCK_POLICY | | ADMX File Name | terminalserver.admx | - + - + - + - + - -## DisconnectOnLockWebAccountAuthn + +## DisconnectOnLockMicrosoftIdentityAuthn - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockWebAccountAuthn +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockMicrosoftIdentityAuthn ``` - + - + - + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | - + - + [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] @@ -242,13 +242,13 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp |:--|:--| | Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY | | ADMX File Name | terminalserver.admx | - + - + - + - + ## DoNotAllowDriveRedirection @@ -439,7 +439,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later
    ✅ [10.0.25398.946] and later
    ✅ Windows 11, version 21H2 [10.0.22000.3014] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3672] and later
    ✅ Windows 11, version 23H2 [10.0.22631.3672] and later
    ✅ Windows Insider Preview | @@ -493,7 +493,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later
    ✅ [10.0.25398.946] and later
    ✅ Windows 11, version 21H2 [10.0.22000.3014] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3672] and later
    ✅ Windows 11, version 23H2 [10.0.22631.3672] and later
    ✅ Windows Insider Preview | @@ -672,6 +672,56 @@ If the status is set to Not Configured, unsecured communication is allowed. + +## TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2400] and later
    ✅ [10.0.25398.827] and later
    ✅ Windows 11, version 21H2 [10.0.22000.2898] and later
    ✅ Windows 11, version 22H2 [10.0.22621.3374] and later
    ✅ Windows 11, version 23H2 [10.0.22631.3374] and later
    ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME | +| ADMX File Name | TerminalServer.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index ba702af7696..8734513a6ec 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,7 +1,7 @@ --- title: Search Policy CSP description: Learn more about the Search Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 07/08/2024 --- @@ -919,7 +919,7 @@ This policy setting configures whether or not locations on removable drives can | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | @@ -1116,7 +1116,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1607 [10.0.14393] and later | diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index b1093ffddcc..25e55a8941e 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,7 +1,7 @@ --- title: Security Policy CSP description: Learn more about the Security Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -71,7 +71,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | ❌ Pro
    ❌ Enterprise
    ❌ Education
    ❌ Windows SE
    ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -172,7 +172,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index eeb0d6f1baa..bf9e5d11f52 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,7 +1,7 @@ --- title: Settings Policy CSP description: Learn more about the Settings Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 05/20/2024 --- @@ -169,10 +169,13 @@ Allows the user to change date and time settings. ## AllowEditDeviceName +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1607 [10.0.14393] and later | @@ -183,7 +186,7 @@ Allows the user to change date and time settings. -Allows the user to edit the device name. +This policy is deprecated. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 8ae3504c728..cfa71536beb 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -542,7 +542,7 @@ Allows admin to override the default items pinned to Start. With this policy you can push a new list of pinned apps to override the default/current list of pinned apps in the Windows Start menu. -For more information on how to configure the Start menu, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11). +For more information on how to configure the Start menu, see [Customize the Start layout](/windows/configuration/start/layout). This string policy takes a JSON file named `LayoutModification.json`. The file enumerates the items to pin and their relative order. diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md index 13be1bd00e2..09a4e3c938c 100644 --- a/windows/client-management/mdm/policy-csp-sudo.md +++ b/windows/client-management/mdm/policy-csp-sudo.md @@ -1,7 +1,7 @@ --- title: Sudo Policy CSP description: Learn more about the Sudo Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -9,8 +9,6 @@ ms.date: 01/31/2024 # Policy CSP - Sudo -[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] - [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] @@ -45,21 +43,30 @@ ms.date: 01/31/2024 | Property name | Property value | |:--|:--| -| Format | `chr` (string) | +| Format | `int` | | Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Sudo is disabled. | +| 1 | Sudo is allowed in 'force new window' mode. | +| 2 | Sudo is allowed in 'disable input' mode. | +| 3 (Default) | Sudo is allowed in 'inline' mode. | + -**ADMX mapping**: + +**Group policy mapping**: | Name | Value | |:--|:--| | Name | EnableSudo | -| ADMX File Name | Sudo.admx | - +| Path | Sudo > AT > System | + diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index b08d9a0c2d2..2d9c9595f5c 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,7 +1,7 @@ --- title: SystemServices Policy CSP description: Learn more about the SystemServices Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -9,6 +9,8 @@ ms.date: 01/18/2024 # Policy CSP - SystemServices +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -19,7 +21,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -169,7 +171,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -219,7 +221,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -269,7 +271,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -319,7 +321,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -369,7 +371,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -419,7 +421,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -469,7 +471,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -519,7 +521,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -569,7 +571,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -619,7 +621,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -669,7 +671,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -719,7 +721,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -769,7 +771,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -819,7 +821,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -869,7 +871,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index ec0faa29242..cfd36f3bb74 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,7 +1,7 @@ --- title: TimeLanguageSettings Policy CSP description: Learn more about the TimeLanguageSettings Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -22,7 +22,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1703 [10.0.15063] and later | +| ✅ Device
    ❌ User | Not applicable | ✅ Windows 10, version 1703 [10.0.15063] and later | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d52bea489cc..b9c4783c85a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,7 +1,7 @@ --- title: Update Policy CSP description: Learn more about the Update Area in Policy CSP. -ms.date: 02/14/2024 +ms.date: 06/19/2024 --- @@ -18,6 +18,7 @@ ms.date: 02/14/2024 Update CSP policies are listed below based on the group policy area: - [Windows Insider Preview](#windows-insider-preview) + - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) @@ -100,6 +101,68 @@ Update CSP policies are listed below based on the group policy area: ## Windows Insider Preview + +### AlwaysAutoRebootAtScheduledTimeMinutes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes +``` + + + + + +- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days. + +The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users. + +- If you disable or don't configure this policy, Windows Update won't alter its restart behavior. + +If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[15-180]` | +| Default Value | 15 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysAutoRebootAtScheduledTime | +| Friendly Name | Always automatically restart at the scheduled time | +| Element Name | work (minutes) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + ### ConfigureDeadlineNoAutoRebootForFeatureUpdates @@ -1159,8 +1222,11 @@ If you enter an invalid value, you'll remain on your current version until you c Supported value type is a string containing Windows version number. For example, `1809`, `1903`, etc. - +> [!NOTE] +> You need to set up the ProductVersion CSP along with the TargetReleaseVersion CSP for it to work. + + **Description framework properties**: @@ -1556,7 +1622,8 @@ Configure this policy to specify whether to receive **Windows Feature Updates** - SetPolicyDrivenUpdateSourceForOtherUpdates > [!NOTE] -> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration. @@ -1694,7 +1761,8 @@ Configure this policy to specify whether to receive **Windows Quality Updates** - SetPolicyDrivenUpdateSourceForOtherUpdates > [!NOTE] -> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration. diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md index aa027def071..c971a471a81 100644 --- a/windows/client-management/mdm/policy-csp-windowsai.md +++ b/windows/client-management/mdm/policy-csp-windowsai.md @@ -1,7 +1,7 @@ --- title: WindowsAI Policy CSP description: Learn more about the WindowsAI Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 06/28/2024 --- @@ -21,7 +21,7 @@ ms.date: 01/31/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ❌ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] | +| ❌ Device
    ✅ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -32,11 +32,7 @@ ms.date: 01/31/2024 -This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data. - -- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns. - -- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data. +This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs. If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen. If the policy is enabled, end users won't be able to save snapshots on their PC. If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations. @@ -58,8 +54,8 @@ This policy setting allows you to prevent Windows AI from using and analyzing us | Value | Description | |:--|:--| -| 0 (Default) | Enable Data Analysis for Windows AI. | -| 1 | Disable Data Analysis for Windows AI. | +| 0 (Default) | Enable Saving Snapshots for Windows. | +| 1 | Disable Saving Snapshots for Windows. | @@ -80,6 +76,9 @@ This policy setting allows you to prevent Windows AI from using and analyzing us ## TurnOffWindowsCopilot +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + | Scope | Editions | Applicable OS | |:--|:--|:--| @@ -102,6 +101,9 @@ This policy setting allows you to turn off Windows Copilot. + +> [!Note] +> - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 9d17406fe6b..d9c4d40da17 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,7 +1,7 @@ --- title: WindowsLogon Policy CSP description: Learn more about the WindowsLogon Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -34,11 +34,11 @@ ms.date: 01/18/2024 This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. -This only occurs if the last interactive user didn't sign out before the restart or shutdown. +This only occurs if the last interactive user didn't sign out before the restart or shutdown. If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. -- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. +- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot . @@ -389,6 +389,13 @@ This policy controls the configuration under which winlogon sends MPR notificati +> [!NOTE] +> Starting in Windows Insiders build 25216, the behavior of EnableMPRNotifications policy was changed, and the Group Policy was updated with the following text: +> +> - **Friendly name**: Configure the transmission of the user's password in the content of MPR notifications sent by winlogon +> - **Description**: This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system. +> - If you disable this setting or do not configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info. +> - If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info. diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md index 3c4a974d939..e4db037ecb6 100644 --- a/windows/client-management/mdm/printerprovisioning-ddf-file.md +++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md @@ -1,7 +1,7 @@ --- title: PrinterProvisioning DDF file description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 3b86f5316c8..ab06e22815d 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,7 +1,7 @@ --- title: Reboot DDF file description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index d5a746496d0..5479190d60b 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -1,7 +1,7 @@ --- title: RootCATrustedCertificates DDF file description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -1067,7 +1067,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index ef8d5268731..7d49cb3604b 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,7 +1,7 @@ --- title: SecureAssessment DDF file description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index fd1f225e74c..4412297df6d 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,7 +1,7 @@ --- title: SharedPC DDF file description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index e489dea63b7..0797c3447b8 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -1,7 +1,7 @@ --- title: SUPL DDF file description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 553037a410e..f830d00fd87 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -1,7 +1,7 @@ --- title: SurfaceHub CSP description: Learn more about the SurfaceHub CSP. -ms.date: 01/18/2024 +ms.date: 05/20/2024 --- @@ -65,6 +65,10 @@ The following list shows the SurfaceHub configuration service provider nodes: - [MOMAgent](#momagent) - [WorkspaceID](#momagentworkspaceid) - [WorkspaceKey](#momagentworkspacekey) + - [MOMAgentGovtCloud](#momagentgovtcloud) + - [AzureCloudIndexGovtCloud](#momagentgovtcloudazurecloudindexgovtcloud) + - [WorkspaceIDGovtCloud](#momagentgovtcloudworkspaceidgovtcloud) + - [WorkspaceKeyGovtCloud](#momagentgovtcloudworkspacekeygovtcloud) - [Properties](#properties) - [AllowAutoProxyAuth](#propertiesallowautoproxyauth) - [AllowSessionResume](#propertiesallowsessionresume) @@ -354,7 +358,7 @@ Possible error values: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.789] and later
    ✅ Windows 10, version 2009 [10.0.19042.789] and later
    ✅ Windows Insider Preview [99.9.9999] | +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.789] and later
    ✅ Windows 10, version 2009 [10.0.19042.789] and later
    ✅ Windows Insider Preview | @@ -2011,6 +2015,162 @@ Primary key for authenticating with workspace. Will always return an empty strin + +## MOMAgentGovtCloud + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +### MOMAgentGovtCloud/AzureCloudIndexGovtCloud + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/AzureCloudIndexGovtCloud +``` + + + + +Enum value for Azure Clouds supported for OMS tracking in SurfaceHub. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Default Value | 0 | + + + + + + + + + +### MOMAgentGovtCloud/WorkspaceIDGovtCloud + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceIDGovtCloud +``` + + + + +GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Get, Replace | + + + + + + + + + +### MOMAgentGovtCloud/WorkspaceKeyGovtCloud + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
    ❌ User | ✅ Pro
    ✅ Enterprise
    ✅ Education
    ✅ Windows SE
    ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceKeyGovtCloud +``` + + + + +Primary key for authenticating with workspace for Govt Clouds. Will always return an empty string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Get, Replace | + + + + + + + + ## Properties diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 4bfee13fce3..3222bade2df 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -1,7 +1,7 @@ --- title: SurfaceHub DDF file description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/22/2024 --- @@ -12,11 +12,10 @@ The following XML file contains the device description framework (DDF) for the S ```xml -]> + 1.2 - - + SurfaceHub ./Vendor/MSFT @@ -86,8 +85,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -110,8 +108,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -134,8 +131,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -158,8 +154,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -203,8 +198,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -227,8 +221,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -251,8 +244,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -534,8 +526,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.15063 1.0 - - +     @@ -611,8 +602,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -753,8 +743,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -982,8 +971,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1028,8 +1016,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1522,8 +1509,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.15063, 10.0.14393.969 1.0 - - + @@ -1584,8 +1570,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1633,8 +1618,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1657,8 +1641,99 @@ The following XML file contains the device description framework (DDF) for the S - - + + + +     + + MOMAgentGovtCloud + + + + + + + + + + + + + + + + + + 10.0.19045.4355 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + WorkspaceIDGovtCloud + + + + + + GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent. + + + + + + + + + + + text/plain + + + + + WorkspaceKeyGovtCloud + + + + + + Primary key for authenticating with workspace for Govt Clouds.. Will always return an empty string. + + + + + + + + + + + text/plain + + + + + AzureCloudIndexGovtCloud + + + + + + 0 + Enum value for Azure Clouds supported for OMS tracking in SurfaceHub. + + + + + + + + + + + text/plain + @@ -1702,8 +1777,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1726,8 +1800,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     @@ -1754,8 +1827,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.17134, 10.0.16299.64 1.0 - - + LanProfile @@ -1777,8 +1849,7 @@ The following XML file contains the device description framework (DDF) for the S - - + @@ -1801,8 +1872,7 @@ The following XML file contains the device description framework (DDF) for the S - - +     diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 1df0f1e524f..d4bcc4bdc15 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. -> **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education. +> **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10/11 Enterprise and Windows 10/11 Education. The following example shows the UWF configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index 183576910e0..a2cceef5811 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -18,9 +18,9 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis). +The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, see [Discover Universal Print](/universal-print/discover-universal-print). -This CSP was added in Windows 11 and in Windows 10 21H2 July 2022 update [KB5015807](https://support.microsoft.com/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41). +This CSP was added in Windows 11 and in Windows 10, version 21H2 July 2022 update [KB5015807](https://support.microsoft.com/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41). The following example shows the UniversalPrint configuration service provider in tree format. @@ -52,7 +52,7 @@ The data type is node (XML node). Supported operation is Get. **`` (PrinterSharedID)** -The Share ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). +The Share ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share ID in the printer's properties in the [Universal Print portal](/universal-print/reference/portal/navigate-azure-portal). The data type is node (XML node). Supported operations are Get, Add, and Delete. @@ -61,7 +61,7 @@ The data type is node (XML node). Supported operations are Get, Add, and Delete. **CloudDeviceID** -The Printer ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Printer ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). +The Printer ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Printer ID in the printer's properties in the [Universal Print portal](/universal-print/reference/portal/navigate-azure-portal). The data type is string/text (GUID). Supported operations are Get, Add, Delete, and Replace. @@ -70,7 +70,7 @@ The data type is string/text (GUID). Supported operations are Get, Add, Delete, **PrinterSharedName** -The Share Name is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share Name in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). +The Share Name is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share Name in the printer's properties in the [Universal Print portal](/universal-print/reference/portal/navigate-azure-portal). The data type is string/text. Supported operations are Get, Add, Delete, and Replace. diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index badf9f29e6f..abe39e405a3 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,7 +1,7 @@ --- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -3265,7 +3265,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index a0ff37f35e5..a2a8cf4407d 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -1,7 +1,7 @@ --- title: WiFi DDF file description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -322,7 +322,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 040365664e7..c0d23cc5178 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,6 +17,13 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| +> [!IMPORTANT] +> Windows 11 Home devices that have been upgraded to one of the below mentioned applicable editions might require you to run the following command before onboarding: +> +> `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~` +> +> For more information about edition upgrades and features, see [Customize Windows features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true). + The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. The following example shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index bdee83a712a..06f96f2518e 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,7 +1,7 @@ --- title: WindowsDefenderApplicationGuard DDF file description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 28301129945..d2abdc9fc41 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -1,7 +1,7 @@ --- title: WindowsLicensing DDF file description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index ba3a3845edb..178bba80f32 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,7 +1,7 @@ --- title: WiredNetwork DDF file description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider. -ms.date: 01/18/2024 +ms.date: 06/28/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -118,7 +118,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 5d0537216af..214a73f052a 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -2,7 +2,7 @@ title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 ms.collection: - highpri - tier2 @@ -43,13 +43,13 @@ The certificate enrollment is an implementation of the MS-WSTEP protocol. ### Management configuration -The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. +The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DMClient bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. The following articles describe the end-to-end enrollment process using various authentication methods: - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) > [!NOTE] > As a best practice, don't use hardcoded server-side checks on values such as: @@ -168,4 +168,4 @@ TraceID is a freeform text node that is logged. It should identify the server si - [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index dcfbdeb34b0..053a0dd7794 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -3,7 +3,7 @@ title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. ms.topic: conceptual ms.localizationpriority: medium -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # What's new in mobile device enrollment and management diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 3d1ff0619c6..5caf42c5f01 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -2,7 +2,7 @@ title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # OMA DM protocol support diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index 0d3a3b1a1d7..e6c445b43cd 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -2,7 +2,7 @@ title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # On-premises authentication device enrollment diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index 0ac4310aab0..e0842698e80 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -2,7 +2,7 @@ title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Push notification support for device management diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index 6b3a303e0ac..92e09679f46 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -2,7 +2,7 @@ title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Server requirements for using OMA DM to manage Windows devices @@ -11,11 +11,11 @@ The following list shows the general server requirements for using OMA DM to man - The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a public Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store. - To authenticate the client at the application level, you must use either Basic or MD5 client authentication. -- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. +- The server MD5 nonce must be renewed in each DM session. The DMClient sends the new server nonce for the next session to the server over the Status element in every DM session. - The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index 170d213948e..a1fcf0777c4 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -2,7 +2,7 @@ title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Structure of OMA DM provisioning files diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 347afc4322e..b6e225d925b 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -50,6 +50,8 @@ items: href: device-update-management.md - name: Manage Copilot in Windows href: manage-windows-copilot.md + - name: Manage Recall + href: manage-recall.md - name: Secured-Core PC Configuration Lock href: config-lock.md - name: Certificate renewal diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 7b80861923d..f327359fe35 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -2,7 +2,7 @@ title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Understanding ADMX policies diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index 5fc04850808..ca347147ab8 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -2,7 +2,7 @@ title: Using PowerShell scripting with the WMI Bridge Provider description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Using PowerShell scripting with the WMI Bridge Provider diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index ff1887a640b..363072d68cb 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -2,7 +2,7 @@ title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Win32 and Desktop Bridge app ADMX policy Ingestion diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index 03c28bfba7f..a9b47a78e97 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,17 +1,17 @@ --- title: Enterprise settings and policy management -description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. +description: The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow. ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # Enterprise settings and policy management -The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/). +The actual management interaction between the device and server is done via the DMClient. The DMClient communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/). -Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). +Enterprise MDM settings are exposed via various configuration service providers to the DMClient. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). -Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DM client to periodically poll the MDM server. +Windows currently supports one MDM server. The DMClient that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DMClient to periodically poll the MDM server. The following diagram shows the work flow between server and client. @@ -21,9 +21,9 @@ The following diagram shows the work flow between server and client. This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. -To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process. +To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DMClient and management service. The server and client certificates are provisioned during the enrollment process. -The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device. +The DMClient configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DMClient communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device. Here's a summary of the DM tasks supported for enterprise management: diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 81c71bd5baa..610f0e36b9a 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -2,7 +2,7 @@ title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). ms.topic: conceptual -ms.date: 08/10/2023 +ms.date: 07/08/2024 --- # WMI providers supported in Windows @@ -76,7 +76,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml) | Yes | | [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel) | Yes | | [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration) | Yes | -| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile) | Yes | +| [**MSFT_NetFirewallProfile**](/windows/win32/fwp/wmi/wfascimprov/msft-netfirewallprofile) | Yes | | [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection) | Yes | | [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct) | | | [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice) | | diff --git a/windows/configuration/accessibility/index.md b/windows/configuration/accessibility/index.md index 335576ee275..4691dba7a01 100644 --- a/windows/configuration/accessibility/index.md +++ b/windows/configuration/accessibility/index.md @@ -1,94 +1,43 @@ --- -title: Windows accessibility information for IT Pros -description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them. -ms.date: 01/25/2024 -ms.topic: conceptual +title: Windows accessibility for IT pros +description: Basic guidance for IT administrators on accessibility features available in Windows client. +ms.date: 07/25/2024 +ms.topic: concept-article ms.collection: tier1 --- - - - # Accessibility information for IT professionals Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. -This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features. +For more information about the accessibility resources available in Windows, see [Discover Windows accessibility features](https://support.microsoft.com/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9#WindowsVersion=Windows_11). + +Windows 11, version 22H2, includes improvements for people with disabilities. For example, system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see the following Windows Experience blog posts: + +- [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) -Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554). - +- [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/2022/09/20/how-inclusion-drives-innovation-in-windows-11/) ## General recommendations - **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows. + - **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings. + - **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology. -## Vision - -- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages. -- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers. -- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops. - - [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec) - - [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a) - - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd) -- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings. -- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d). - - Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse. - - Adjust the size of text, icons, and other screen items to make them easier to see. - - Many high-contrast themes are available to suit your needs. -- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. -- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do. -- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. -- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. -- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. -- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. - -## Hearing - -- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions. -- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages. -- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said. -- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you. - -- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). - - Replace audible alerts with visual alerts. - - If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. - - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear. -- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes. -- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions. - -## Physical - -- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. -- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do. -- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion. -- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe). - - - If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys. - - If a mouse is difficult to use, you can control the pointer by using your numeric keypad. - -## Cognition - -- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. -- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing. -- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read. +- Use the [Azure AI Translator](/azure/ai-services/translator/) service to add machine translation to your solutions. -## Assistive technology devices built into Windows +- [Create accessible apps](/windows/apps/develop/accessibility) that work well with Narrator and other leading screen readers. -- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display. -- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script. -- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). +- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing. - -- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. +## Other resources -- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). -- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). +- [Windows accessibility](https://www.microsoft.com/windows/accessibility-features) -## Other resources +- [Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software) + +- [Inclusive design](https://inclusive.microsoft.design/) -[Windows accessibility](https://www.microsoft.com/Accessibility/windows) -[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software) -[Inclusive design](https://www.microsoft.com/design/inclusive) -[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide) +- [Accessibility guide for Microsoft 365 Apps](/microsoft-365-apps/deploy/accessibility-guide) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md new file mode 100644 index 00000000000..3d2532b2afe --- /dev/null +++ b/windows/configuration/assigned-access/configuration-file.md @@ -0,0 +1,520 @@ +--- +title: Create an Assigned Access configuration file +description: Learn how to create an XML file to configure Assigned Access. +ms.topic: how-to +zone_pivot_groups: windows-versions-11-10 +ms.date: 03/04/2024 +appliesto: +--- + +# Create an Assigned Access configuration XML file + +To configure Assigned Access, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Assigned Access XML Schema Definition (XSD)](xsd.md). + +This article describes how to configure an Assigned Access configuration file, including practical examples. + +Let's start by looking at the basic structure of the XML file. An Assigned Access configuration file contains: + +- One or multiple `profiles`. Each `profile` defines a set of applications that are allowed to run +- One or multiple `configs`. Each `config` associates a user account or a group to a `profile` + +Here's a basic example of an Assigned Access configuration file, with one profile and one config: + +```xml + + + + + + + + + + + + + +``` + +## Versioning + +The Assigned Access configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces: + +| Version | Alias | Namespace | +|-|-|-| +|Windows 11, version 22H2|`v5`|`http://schemas.microsoft.com/AssignedAccess/2022/config`| +|Windows 11, version 21H2|`v4`|`http://schemas.microsoft.com/AssignedAccess/2021/config`| +|Windows 10|`v5`|`http://schemas.microsoft.com/AssignedAccess/202010/config`| +|Windows 10|`v3`|`http://schemas.microsoft.com/AssignedAccess/2020/config`| +|Windows 10|`rs5`|`http://schemas.microsoft.com/AssignedAccess/201810/config`| +|Windows 10|default|`http://schemas.microsoft.com/AssignedAccess/2017/config`| + +To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the `StartPins` feature that was added in Windows 11, version 22H2, use the below example. Note the alias `v5` associated to the `http://schemas.microsoft.com/AssignedAccess/2022/config` namespace for 22H2 release, and the alias is tagged on `StartPins` inline. + +```xml + + + + + + + + + + + + + + + + +``` + +Here you can find the Assigned Access XML schema definitions: [Assigned Access XML Schema Definition (XSD)](xsd.md). + +## Profiles + +A configuration file can contain one or more profiles. Each profile is identified by a unique identifier `Profile Id` and, optionally, a `Name`. For example: + +```xml + + + + + +``` + +> [!TIP] +> The `Profile Id` must be unique within the XML file. You can generate a GUID with the PowerShell cmdlet `New-Guid`. + +A profile can be one of two types: + +- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile don't access the desktop, but only the Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen above the Lock screen +- `AllAppList` is used to configure a restricted user experience. Users assigned this profile, access the desktop with the specific apps on the Start menu + +> [!IMPORTANT] +> +> - You can't set both `KioskModeApp` and `ShellLauncher` at the same time on the device +> - A configuration file can contain only one `KioskModeApp` profile, but it can contain multiple `AllAppList` profiles. + +### KioskModeApp + +The properties of a `KioskModeApp` profile are: + +| Property| Description | Details | +|-|-|-| +|`AppUserModelId`|The Application User Model ID (AUMID) of the UWP app.|Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).| +|`v4:ClassicAppPath`|The full path to a desktop app executable.|This is the path to the desktop app used in kiosk mode. The path can contain system environment variables in the form of `%variableName%`.| +|`v4:ClassicAppArguments`|The arguments to be passed to the desktop app.|This property is optional.| + +By default, you can use the CTRL+ALT+DEL sequence to exit kiosk mode. You can define a `BreakoutSequence` element to change the default sequence. The `Key` attribute is a string that represents the key combination. + +Example of two profiles, a desktop app and a UWP app: + +```xml + + + + + + + +``` + +> [!NOTE] +> You can only assign a `KioskModeApp` profile to users, not to groups. + +### AllAppList + +Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. + +> [!NOTE] +> If an app has a dependency on another app, both must be included in the allowed apps list. + +Within the `AllAppList` node, define a list of applications that are allowed execute. Each `App` element has the following properties: + +| Property| Description | Details | +|-|-|-| +|`AppUserModelId`|The Application User Model ID (AUMID) of the UWP app.|Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md).| +|`DesktopAppPath`|The full path to a desktop app executable.|This is the path to the desktop app that used in kiosk mode. The path can contain system environment variables in the form of `%variableName%`.| +|`rs5:AutoLaunch`|A Boolean attribute to indicate whether to launch the app (either desktop or UWP app) automatically when the user signs in.|This property is optional. Only one application can autolaunch.| +|`rs5:AutoLaunchArguments`|The arguments to be passed to the app that is configured with `AutoLaunch`.|AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. This property is optional.| + +Example: + +```xml + + + + + + + + + +``` + +::: zone pivot="windows-10" + +### File Explorer restrictions + +In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node. + +You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. + +```xml + + + + + + + + + + + + + +``` + +Here are some practical examples. + +#### Block everything + +Either don't use the node or leave it empty. + +```xml + + +``` + +#### Only allow downloads + +```xml + + + +``` + +#### Only allow removable drives + +```xml + + + +``` + +#### Allow both Downloads, and removable drives + +```xml + + + + +``` + +#### No restrictions, all locations are allowed + +```xml + + + +``` + +> [!TIP] +> To grant access to File Explorer in a restricted user experience, add `Explorer.exe` to the list of allowed apps, and pin a shortcut to the Start menu. + +::: zone-end + +### Start menu customizations + +For a restricted user experience profile (`AllAppList`), you must define the Start layout. The Start layout contains a list of applications that are pinned to the Start menu. You can choose to pin all the allowed applications to the Start menu, or a subset. The easiest way to create a customized Start layout is to configure the Start menu on a test device and then export the layout. + +To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/layout.md). + +::: zone pivot="windows-10" + +With the exported Start menu configuration, use the `StartLayout` element and add the content of the XML file. For example: + +```xml + + + ]]> + +``` + +Example with some apps pinned: + +```xml + + + + + + + + + + + + + + + + + + + ]]> + +``` + +::: zone-end + +::: zone pivot="windows-11" + +With the exported Start menu configuration, use the `v5:StartPins` element and add the content of the exported JSON file. For example: + +```xml + + + ]]> + +``` + +Example with some apps pinned: + + + + + +::: zone-end + +> [!NOTE] +> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. + +### Taskbar customizations + +::: zone pivot="windows-10" + +You can't pin apps on the taskbar in a restricted user experience. It's not supported to configure a Taskbar layout using the `` tag in a layout modification XML, as part of the Assigned Access configuration. + +The only Taskbar customization available is the option to show or hide it, using the `ShowTaskbar` boolean attribute. + +The following example exposes the taskbar: + +```xml + +``` + +The following example hides the taskbar: + +```xml + +``` + +> [!NOTE] +> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting `ShowTaskbar` as `false` hides the taskbar permanently. + +::: zone-end + +::: zone pivot="windows-11" + +You can customize the Taskbar by creating a custom layout and adding it to your XML file. To learn how to customize and export the Taskbar configuration, see [Customize the Taskbar](../taskbar/configure.md). + +> [!NOTE] +> In Windows 11, the `ShowTaskbar` attribute is no-op. Configure it with a value of `true`. + +With the exported Taskbar configuration, use the `v5:TaskbarLayout` element and add the content of the XML file. For example: + +```xml + + + ]]> + +``` + +Here's an example of a custom Taskbar with a few apps pinned: + +```xml + + + + + + + + + + + + + + ]]> + +``` + +::: zone-end + + + +## Configs + +Under `Configs`, define one or more user accounts, or groups, and their association with a profile. + +When the user account signs in, the associated Assigned Access profile is enforced along with policy settings that are part of the restricted user experience. + +You can assign: + +- A standard user account, which can be local, domain, or Microsoft Entra ID +- A group account, which can be local, Active Directory (domain), or Microsoft Entra ID + +Limitations: + +- Configs that specify group accounts can't use a kiosk profile, only a restricted user experience profile +- Apply the restricted user experience to standard users only. It's not supported to associate an admin user with an Assigned Access profile +- Don't apply the profile to users or groups that are targeted by conditional access policies that require user interaction. For example, multi-factor authentication (MFA), or Terms of Use (TOU). For more information, see [Users can't log on to Windows if a multi-app kiosk profile is assigned](/troubleshoot/mem/intune/device-configuration/users-cannot-logon-windows-multi-app-kiosk) + +>[!NOTE] +> On Microsoft Entra joined and domain joined devices, local user accounts aren't displayed on the sign-in screen by default. To display the local accounts on the sign-in screen, enable the policy setting: +> +>- GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Enumerate local users on domain-joined computers** +>- CSP: `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[EnumerateLocalUsersOnDomainJoinedComputers](/windows/client-management/mdm/policy-csp-windowslogon#enumeratelocalusersondomainjoinedcomputers) + +### AutoLogon account + +With ``, Assigned Access creates and manages a user account to automatically sign in after a device restarts. The account is a local standard user. + +The following example shows how to specify an account to sign in automatically, and the optional display name for the account on the sign-in screen: + +```xml + + + + + + +``` + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature doesn't work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). + +### Global profile + +With `GlobalProfile`, you can define an Assigned Access profile that is applied to every non-admin account that signs in. `GlobalProfile` is useful in scenarios like frontline workers or student devices, where you want to ensure that every user has a consistent experience. + +```xml + + + +``` + +> [!NOTE] +> You can combine a global profile with other profiles. If you assign a user a non-global profile, the global profile won't be applied to that user. + +### User accounts + +Individual accounts are specified using ``. + +> [!IMPORTANT] +> Before applying the Assigned Access configuration, make sure the specified user account is available on the device, otherwise it fails. +> +> For both domain and Microsoft Entra accounts, as long as the device is Active Directory joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. + +#### Local user + +Local account can be entered as `devicename\user`, `.\user`, or just `user`. + +```xml + + user + + +``` + +#### Active Directory user + +Domain accounts must be entered using the format `domain\samAccountName`. + +```xml + + contoso\user + + +``` + +#### Microsoft Entra user + +Microsoft Entra accounts must be specified with the format: `AzureAD\{UPN}`. `AzureAD` must be provided *as is*, then follow with the Microsoft Entra user principal name (UPN). + +```xml + + AzureAD\user@contoso.onmicrosoft.com + + +``` + +### Group accounts + +Group accounts are specified using ``. Nested groups aren't supported. For example, if *User A* is member of *Group A*, *Group A* is member of *Group B*, and *Group B* is used in ``, *User A* doesn't have the kiosk experience. + +#### Local group + +Specify the group type as `LocalGroup` and add the group name in the `Name` attribute. + +```xml + + + + +``` + +#### Active Directory group + +Both security and distribution groups are supported. Specify the group type as `ActiveDirectoryGroup`. Use the domain name as the prefix in the name attribute. + +```xml + + + + +``` + +#### Microsoft Entra group + +Use the object ID of the Microsoft Entra group. You can find the object ID on the overview page for the group by signing in to the Microsoft Entra admin center and browsing to **Identity** > **Groups** > **All groups**. Specify the group type as `AzureActiveDirectoryGroup`. The kiosk device must have internet connectivity when users that belong to the group sign-in. + +```xml + + + + +``` + +## Next steps + +> [!div class="nextstepaction"] +> Review some practical examples of Assigned Access XML configurations: +> +> [Assigned Access examples](examples.md) diff --git a/windows/configuration/assigned-access/examples.md b/windows/configuration/assigned-access/examples.md new file mode 100644 index 00000000000..3c0c865d644 --- /dev/null +++ b/windows/configuration/assigned-access/examples.md @@ -0,0 +1,49 @@ +--- +title: Assigned Access examples +description: Practical examples of XML files to configure Assigned Access. +ms.date: 03/04/2024 +ms.topic: reference +zone_pivot_groups: windows-versions-11-10 +appliesto: +--- + +# Assigned Access examples + +This article contains examples of XML files to configure a device with Assigned Access. The files can be easily modified to fit your specific needs. + +To learn more: + +- [Create an Assigned Access configuration XML file](configuration-file.md). +- [Assigned Access XML Schema Definition (XSD)](xsd.md). + +## Kiosk experience with Microsoft Edge + +[!INCLUDE [example-kiosk-edge](includes/example-kiosk-edge.md)] + +## Kiosk experience with Universal Windows Platform (UWP) app + +[!INCLUDE [example-kiosk-uwp](includes/example-kiosk-uwp.md)] + +::: zone pivot="windows-10" + +## File Explorer restrictions + +[!INCLUDE [example-file-explorer-restrictions](includes/example-file-explorer-restrictions.md)] + +::: zone-end + +## Global Profile + +The following configuration demonstrates that only a global profile is used, with no user configured. + +[!INCLUDE [example-global-profile](includes/example-global-profile.md)] + +## User Group + +The following configuration demonstrates how to assign profiles to different users and groups, including a user configured to automatically sign in. + +[!INCLUDE [example-usergroup](includes/example-usergroup.md)] + +## Restricted user experience + +[!INCLUDE [example-restricted-experience](includes/example-restricted-experience.md)] diff --git a/windows/configuration/assigned-access/images/kiosk.png b/windows/configuration/assigned-access/images/kiosk.png new file mode 100644 index 00000000000..bea0e381b67 Binary files /dev/null and b/windows/configuration/assigned-access/images/kiosk.png differ diff --git a/windows/configuration/assigned-access/images/restricted-user-experience-windows-10.png b/windows/configuration/assigned-access/images/restricted-user-experience-windows-10.png new file mode 100644 index 00000000000..81f6ded25ec Binary files /dev/null and b/windows/configuration/assigned-access/images/restricted-user-experience-windows-10.png differ diff --git a/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png b/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png new file mode 100644 index 00000000000..6105c7bdd73 Binary files /dev/null and b/windows/configuration/assigned-access/images/restricted-user-experience-windows-11.png differ diff --git a/windows/configuration/assigned-access/images/restricted-user-experience.png b/windows/configuration/assigned-access/images/restricted-user-experience.png new file mode 100644 index 00000000000..566b4bd9028 Binary files /dev/null and b/windows/configuration/assigned-access/images/restricted-user-experience.png differ diff --git a/windows/configuration/assigned-access/includes/example-file-explorer-restrictions.md b/windows/configuration/assigned-access/includes/example-file-explorer-restrictions.md new file mode 100644 index 00000000000..ff855baa88f --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-file-explorer-restrictions.md @@ -0,0 +1,30 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/01/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/includes/example-global-profile.md b/windows/configuration/assigned-access/includes/example-global-profile.md new file mode 100644 index 00000000000..a818640cbd7 --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-global-profile.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/includes/example-kiosk-edge.md b/windows/configuration/assigned-access/includes/example-kiosk-edge.md new file mode 100644 index 00000000000..91059e74346 --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-kiosk-edge.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/01/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + + + + Edge kiosk + + + + +``` diff --git a/windows/configuration/assigned-access/includes/example-kiosk-uwp.md b/windows/configuration/assigned-access/includes/example-kiosk-uwp.md new file mode 100644 index 00000000000..69e5a1ac703 --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-kiosk-uwp.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + + + Weather app + + + + +``` diff --git a/windows/configuration/assigned-access/includes/example-restricted-experience.md b/windows/configuration/assigned-access/includes/example-restricted-experience.md new file mode 100644 index 00000000000..7ee28b6761b --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-restricted-experience.md @@ -0,0 +1,115 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + + + +::: zone pivot="windows-10" + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + +``` + +::: zone-end + +::: zone pivot="windows-11" + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +::: zone-end diff --git a/windows/configuration/assigned-access/includes/example-two-profiles.md b/windows/configuration/assigned-access/includes/example-two-profiles.md new file mode 100644 index 00000000000..42bad928017 --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-two-profiles.md @@ -0,0 +1,37 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + + + + + + + + + + + Weather app + + + + Library Kiosk + + + + +``` diff --git a/windows/configuration/assigned-access/includes/example-usergroup.md b/windows/configuration/assigned-access/includes/example-usergroup.md new file mode 100644 index 00000000000..7d69b07f0bf --- /dev/null +++ b/windows/configuration/assigned-access/includes/example-usergroup.md @@ -0,0 +1,47 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + + + +```xml + + + + + + + + contoso\user + + + + AzureAD\user@contoso.onmicrosoft.com + + + + user + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md new file mode 100644 index 00000000000..8fb14f8ac67 --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations +Content-Type: application/json + +{ "id": "00000000-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Assigned Access", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "displayName": "Configuration", "@odata.type": "#microsoft.graph.omaSettingString", "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } +``` \ No newline at end of file diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md new file mode 100644 index 00000000000..4f5ce43c2e0 --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md @@ -0,0 +1,32 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```powershell +$assignedAccessConfiguration = @" + + + + + + + + + + + + + + + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration) +Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md new file mode 100644 index 00000000000..93a06073469 --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md new file mode 100644 index 00000000000..7267d16e537 --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +::: zone pivot="windows-10" + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations +Content-Type: application/json + +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } +``` + +::: zone-end + +::: zone pivot="windows-11" + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations +Content-Type: application/json + +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } +``` + +::: zone-end \ No newline at end of file diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md new file mode 100644 index 00000000000..35a15c446f1 --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md @@ -0,0 +1,129 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +::: zone pivot="windows-10" + +```powershell +$assignedAccessConfiguration = @" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration) +Set-CimInstance -CimInstance $obj +``` + +::: zone-end + +::: zone pivot="windows-11" + +```powershell +$assignedAccessConfiguration = @" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration) +Set-CimInstance -CimInstance $obj +``` + +::: zone-end diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md new file mode 100644 index 00000000000..514c6ab44cd --- /dev/null +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md @@ -0,0 +1,113 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +::: zone pivot="windows-10" + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + +``` + +::: zone-end + +::: zone pivot="windows-11" + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +::: zone-end diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md new file mode 100644 index 00000000000..e8f3ecf20b0 --- /dev/null +++ b/windows/configuration/assigned-access/index.md @@ -0,0 +1,72 @@ +--- +title: Windows kiosks and restricted user experiences +description: Learn about the options available in Windows to configure kiosks and restricted user experiences. +ms.topic: overview +ms.date: 03/04/2024 +--- + +# Windows kiosks and restricted user experiences + +Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example: + +- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels +- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly +- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image +- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements + +Windows offers two different options for public or specialized use: + +:::row::: + :::column span="1"::: + :::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false"::: + :::column-end::: + :::column span="3"::: + #### Kiosk experience + :::column-end::: +:::row-end::: + +This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*. + +Windows offers two different features to configure a kiosk experience: + +- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts +- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen + +:::row::: + :::column span="1"::: + :::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false"::: + :::column-end::: + :::column span="3"::: + #### Restricted user experience + :::column-end::: +:::row-end::: + +This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*. + +To configure a restricted user experience, you use the **Assigned Access** feature. + +## Choose the right experience + +When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions: + +| | Question | +|--|--| +| **🔲** | *How many apps?*
    The number of apps determines the experience to build: **kiosk** or **restricted user experience**.| +| **🔲** | *Desktop experience or custom?*
    If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.| +| **🔲** | *In single-app scenario, which type of app will your kiosk run?*
    If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.| +| **🔲** | *Which edition of Windows client will the kiosk run?"*
    **Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.| + +## Next steps + +In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences: + +- [Assigned Access](overview.md) +- [Shell Launcher](shell-launcher/index.md) + +### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts + +If you're ready to try out the options available to configure kiosks and restricted user experiences, check out the following quickstarts: + +- [Quickstart: configure a kiosk with Assigned Access](quickstart-kiosk.md) +- [Quickstart: configure a kiosk experience with Shell Launcher](shell-launcher/quickstart-kiosk.md) +- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md) \ No newline at end of file diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md new file mode 100644 index 00000000000..12ed03cf428 --- /dev/null +++ b/windows/configuration/assigned-access/overview.md @@ -0,0 +1,344 @@ +--- +title: What is Assigned Access? +description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access. +ms.date: 06/14/2024 +ms.topic: overview +--- + +# What is Assigned Access? + +Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience. + +When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include: + +- Public browsing +- Interactive digital signage + +When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include: + +- Frontline worker devices +- Student devices +- Lab devices + +> [!NOTE] +> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see [Assigned Access policy settings](policy-settings.md). + +## Requirements + +Here are the requirements for Assigned Access: + +- To use a kiosk experience, [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be enabled +- To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection + +[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)] + +## Configure a kiosk experience + +There are several options to configure a kiosk experience. If you need to configure a single device with a local account, you can use: + +- PowerShell: you can use the `Set-AssignedAccess` PowerShell cmdlet to configure a kiosk experience using a local standard account +- Settings: use this option when you need a simple method to configure a single device with a local standard user account + +For advanced customizations, you can use the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp) to configure the kiosk experience. The CSP allows you to configure the kiosk app, the user account, and the kiosk app's behavior. When you use the CSP, you must create an XML configuration file that specifies the kiosk app and the user account. The XML file is applied to the device using one of the following options: + +- A Mobile Device Management (MDM) solution, like Microsoft Intune +- Provisioning packages +- PowerShell, with the MDM Bridge WMI Provider + +To learn how to configure the Shell Launcher XML file, see [Create an Assigned Access configuration file](configuration-file.md). + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration` +- **Value:** content of the XML configuration file + +Assign the policy to a group that contains as members the devices that you want to configure. + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `AssignedAccess/AssignedAccessSettings` +- **Value:** Enter the account and the application you want to use for Assigned access, using the AUMID of the app. Example: + - `{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}` + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +To configure a device using Windows PowerShell: + +1. Sign in as administrator +1. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access +1. Sign in as the Assigned Access user account +1. Install the required UWP app +1. Sign out as the Assigned Access user account +1. Sign in as administrator and from an elevated PowerShell prompt use one of the following commands: + + ```PowerShell + #Configure Assigned Access by AppUserModelID and user name + Set-AssignedAccess -AppUserModelId -UserName + + #Configure Assigned Access by AppUserModelID and user SID + Set-AssignedAccess -AppUserModelId -UserSID + + #Configure Assigned Access by app name and user name + Set-AssignedAccess -AppName -UserName + + #Configure Assigned Access by app name and user SID**: + Set-AssignedAccess -AppName -UserSID + +> [!NOTE] +> To set up Assigned Access using `-AppName`, the user account that you enter for Assigned Access must have signed in at least once. + +For more information: + +- [Find the Application User Model ID of an installed app](../store/find-aumid.md) +- [Set-AssignedAccess](/powershell/module/assignedaccess/set-assignedaccess) + +To remove assigned access, using PowerShell, run the following cmdlet: + +```powershell +Clear-AssignedAccess +``` + +For advanced customizations that use the XML configuration file, you can use PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). + +> [!IMPORTANT] +> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. + +To test the PowerShell script, you can: + +1. [Download the psexec tool](/sysinternals/downloads/psexec) +1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` +1. Run the script in the PowerShell session + +```PowerShell +$shellLauncherConfiguration = @" + +# content of the XML configuration file + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) +$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue +if($cimSetError) { + Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" + Write-Error -ErrorRecord $cimSetError[0] + + $timeout = New-TimeSpan -Seconds 30 + $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + do{ + $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore + } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available + + if($events.Count) { + $events | ForEach-Object { + Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" + } + } else { + Write-Warning "Timed-out attempting to retrieve event logs..." + } + + Exit 1 +} + +Write-Output "Successfully applied Shell Launcher configuration" +``` + +[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] + +#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings) + +Here are the steps to configure a kiosk using the Settings app: + +1. Open the Settings app to view and configure a device as a kiosk. Go to **Settings > Accounts > Other Users**, or use the following shortcut: + + > [!div class="nextstepaction"] + > + > [Other Users](ms-settings:otherusers) + +1. Under **Set up a kiosk**, select **Get Started** +1. In the **Create an account** dialog, enter the account name, and select **Next** + >[!NOTE] + >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account** + +1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options: + + - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) + - Which URL should be open when the kiosk accounts signs in + - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) + +1. Select **Close** + +When the device isn't joined to an Active Directory domain or Microsoft Entra ID, automatic sign-in of the kiosk account is configured automatically: + +- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything +- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you want to use as the kiosk account. Open **Settings** > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device + +--- + +> [!TIP] +> For practical examples, see the [Quickstart: Configure a kiosk with Assigned Access](quickstart-kiosk.md). + +## Configure a restricted user experience + +To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options: + +- A Mobile Device Management (MDM) solution, like Microsoft Intune +- Provisioning packages +- PowerShell, with the MDM Bridge WMI Provider + +To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md). + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher` +- **Value:** content of the XML configuration file + +Assign the policy to a group that contains as members the devices that you want to configure. + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings` +- **Value:** content of the XML configuration file + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)] + +```PowerShell +$assignedAccessConfiguration = @" + +# content of the XML configuration file + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration) +$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue +if($cimSetError) { + Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" + Write-Error -ErrorRecord $cimSetError[0] + + $timeout = New-TimeSpan -Seconds 30 + $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + do{ + $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore + } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available + + if($events.Count) { + $events | ForEach-Object { + Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" + } + } else { + Write-Warning "Timed-out attempting to retrieve event logs..." + } + + Exit 1 +} + +Write-Output "Successfully applied Assigned Access configuration" +``` + +[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] + +#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings) + +This option isn't available using Settings. + +--- + +> [!TIP] +> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md) + +## User experience + +To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file. + +The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience. + +> [!NOTE] +> Starting in Windows 11, a restricted user experience supports the use of multiple monitors. + +### Autotrigger touch keyboard + +The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior. + +> [!TIP] +> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs. + +### Sign out of assigned access + +By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key: + +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` + +To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +> [!NOTE] +> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode. + +The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md). + +### Keyboard shortcuts + +The following keyboard shortcuts are blocked for the user accounts with Assigned Access: + +| Keyboard shortcut | Action | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------| +| Ctrl + Shift + Esc | Open Task Manager | +| WIN + , (comma) | Temporarily peek at the desktop | +| WIN + A | Open Action center | +| WIN + Alt + D | Display and hide the date and time on the desktop | +| WIN + Ctrl + F | Find computer objects in Active Directory | +| WIN + D | Display and hide the desktop | +| WIN + E | Open File Explorer | +| WIN + F | Open Feedback Hub | +| WIN + G | Open Game bar when a game is open | +| WIN + I | Open Settings | +| WIN + J | Set focus to a Windows tip when one is available | +| WIN + O | Lock device orientation | +| WIN + Q | Open search | +| WIN + R | Open the Run dialog box | +| WIN + S | Open search | +| WIN + Shift + C | Open Cortana in listening mode | +| WIN + X | Open the Quick Link menu | +| LaunchApp1 | Open the app that is assigned to this key | +| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator | +| LaunchMail | Open the default mail client | + +For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts). + +## Remove Assigned Access + +Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained. + +## Next steps + +> [!div class="nextstepaction"] +> Review the recommendations before you deploy Assigned Access: +> +> [Assigned Access recommendations](recommendations.md) + + + +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[WIN-3]: /windows/client-management/mdm/assignedaccess-csp diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md new file mode 100644 index 00000000000..0bf8a93e30e --- /dev/null +++ b/windows/configuration/assigned-access/policy-settings.md @@ -0,0 +1,114 @@ +--- +title: Assigned Access policy settings +description: Learn about the policy settings enforced on a device configured with Assigned Access. +ms.topic: reference +ms.date: 03/04/2024 +--- + +# Assigned Access policy settings + +When the Assigned Access configuration is applied on a device, certain policy settings and AppLocker rules are enforced, impacting the users accessing the device. The policy settings use a combination of configuration service provider (CSP) and group policy (GPO) settings. + +This reference article lists the policy settings and AppLocker rules applied by Assigned Access. + +>[!NOTE] +>It's not recommended to configure policy settings enforced by Assigned Access to different values using other channels. Assigned Access is optimized to provide a locked-down experience. + +## Device policy settings + +The following policy settings are applied at the device level when you deploy a restricted user experience. Any user accessing the device is subject to the policy settings, including administrator accounts: + +| Type | Path | Name/Description | +|---------|----------------------------------------------------------------------------|---------------------------------------------------------------------------| +| **CSP** | `./Vendor/MSFT/Policy/Config/Experience/AllowCortana` | Disable Cortana | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments` | Disable Start documents icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads` | Disable Start downloads icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer` | Disable Start file explorer icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup` | Disable Start home group icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic` | Disable Start music icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork` | Disable Start network icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder` | Disable Start personal folder icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures` | Disable Start pictures icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings` | Disable Start settings icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos` | Disable Start videos icon | +| **CSP** | `./Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings` | Hide *Change account settings* from appearing in the user tile | +| **CSP** | `./Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable` | Hides all update notifications | +| **CSP** | `./Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel` | Disables auto restart notifications for updates | +| **CSP** | `./Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace` | Access to ink workspace is disabled | +| **CSP** | `./Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI` | Hide networks UI on the logon screen, as well as on "security options" UI | + +## User policy settings + +The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience: + +| Type | Path | Name/Description | +|---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus` | Disable Context Menu for Start menu apps | +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar | +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu | +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toast | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning items in Jump Lists | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from customizing their Start Screen | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from moving taskbar to another screen dock location | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from rearranging toolbars | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from resizing the taskbar | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from uninstalling applications from Start | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove access to the context menus for the task bar | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove All Programs list from the Start menu | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Control Center | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove frequent programs list from the Start Menu | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Notification and Action Center | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Quick Settings | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Run menu from Start Menu | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove the Security and Maintenance icon | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off all balloon notifications | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off feature advertisement balloon notifications | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications | +| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Change Password | +| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Logoff | +| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Task Manager | +| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* | +| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu | + +The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge: + +| Type | Path | Name/Description | +|---------|-----------------------------------------------------------------------------------|--------------------------------------------------------| +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Run only specified Windows applications > `msedge.exe` | +| **GPO** | User Configuration\Administrative Templates\System | Turn off toast notifications | +| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk | +| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > `.pdf;.epub` | +| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu | + +## AppLocker rules + +When you deploy an Assigned Access restricted user experience, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules: + +### Universal Windows Platform (UWP) app rules + +1. The default rule is to allow all users to launch the signed *packaged apps* +1. The packaged app *deny list* is generated at runtime when the Assigned Access user signs in: + 1. Based on the installed apps available for the user account, Assigned Access generates the deny list. The list excludes the default allowed inbox packaged apps, which are critical for the system to function, and then exclude the allowed packages that are defined in the Assigned Access configuration + 1. If there are multiple apps within the same package, all the apps are excluded + +The deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list + +> [!NOTE] +> You can't manage AppLocker rules that are generated by the restricted user experience in MMC snap-ins. Avoid creating AppLocker rules that conflict with AppLocker rules generated by Assigned Access. +> +> Assigned access doesn't prevent the organization or users from installing UWP apps. When a new UWP app is installed during an Assigned Access session, the app isn't in the deny list. When the user signs out and signs in again, the installed app is included in the deny list. For apps deployed centrally that you want to allow, like line-of-biness apps, update the Assigned Access configuration and include the apps in the *allow app list*. + +### Desktop app rules + +1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. +1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration +1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list diff --git a/windows/configuration/assigned-access/quickstart-kiosk.md b/windows/configuration/assigned-access/quickstart-kiosk.md new file mode 100644 index 00000000000..0dd9ff9fa7f --- /dev/null +++ b/windows/configuration/assigned-access/quickstart-kiosk.md @@ -0,0 +1,104 @@ +--- +title: "Quickstart: configure a kiosk experience with Assigned Access" +description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO). +ms.topic: quickstart +ms.date: 03/04/2024 +--- + +# Quickstart: configure a kiosk with Assigned Access + +This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same. + +The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows. + +## Prerequisites + +>[!div class="checklist"] +>Here's a list of requirements to complete this quickstart: +> +>- A Windows device +>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM +>- Windows Configuration Designer, if you want to configure the settings using a provisioning package +>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell + +## Configure a kiosk + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +> [!TIP] +> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags. +> +> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. + +[!INCLUDE [quickstart-kiosk-intune](includes/quickstart-kiosk-intune.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration` +- **Value:** + +[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)] + +Assign the policy to a group that contains as members the devices that you want to configure. + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings` +- **Value:** + +[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)] + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)] + +[!INCLUDE [quickstart-kiosk-ps](includes/quickstart-kiosk-ps.md)] + +[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] + + + +#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings) + +Here are the steps to configure a kiosk using the Settings app: + +1. Open the Settings app to view and configure a device as a kiosk. Go to **Settings > Accounts > Other Users**, or use the following shortcut: + + > [!div class="nextstepaction"] + > + > [Other Users](ms-settings:otherusers) + +1. Under **Set up a kiosk**, select **Get Started** +1. In the **Create an account** dialog, enter the account name, and select **Next** + >[!NOTE] + >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account** + +1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options: + + - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) + - Which URL should be open when the kiosk accounts signs in + - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) + +1. Select **Close** + +--- + +## User experience + +After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge. + +## Next steps + +> [!div class="nextstepaction"] +> Learn more about Assigned Access and how to configure it: +> +> [Assigned Access overview](overview.md) + +[WIN-3]: /windows/client-management/mdm/assignedaccess-csp +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 diff --git a/windows/configuration/assigned-access/quickstart-restricted-user-experience.md b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md new file mode 100644 index 00000000000..de5573c281a --- /dev/null +++ b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md @@ -0,0 +1,93 @@ +--- +title: "Quickstart: configure a restricted user experience with Assigned Access" +description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO). +ms.topic: quickstart +ms.date: 03/04/2024 +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Quickstart: configure a restricted user experience with Assigned Access + +This quickstart provides practical examples of how to configure a *restricted user experience* on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same. + +The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows. + +## Prerequisites + +>[!div class="checklist"] +>Here's a list of requirements to complete this quickstart: +> +>- A Windows device +>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM +>- Windows Configuration Designer, if you want to configure the settings using a provisioning package +>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell + +## Configure a restricted user experience + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +> [!TIP] +> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags. +> +> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. + +[!INCLUDE [quickstart-restricted-experience-intune.md](includes/quickstart-restricted-experience-intune.md)] + +[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration` +- **Value:** + +[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)] + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings` +- **Value:** + +[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)] + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)] + +[!INCLUDE [quickstart-restricted-experience-ps.md](includes/quickstart-restricted-experience-ps.md)] + +[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] + +--- + +## User experience + +After the settings are applied, reboot the device. A local user account is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu. + +::: zone pivot="windows-11" +:::image type="content" source="images/restricted-user-experience-windows-11.png" alt-text="Screenshot of the Windows 11 desktop used for the quickstart." border="false"::: + +::: zone-end + +::: zone pivot="windows-10" +:::image type="content" source="images/restricted-user-experience-windows-10.png" alt-text="Screenshot of the Windows 10 desktop used for the quickstart." border="false"::: + +::: zone-end + +## Next steps + +> [!div class="nextstepaction"] +> Learn more about Assigned Access and how to configure it: +> +> [Assigned Access overview](overview.md) + + + +[WIN-3]: /windows/client-management/mdm/assignedaccess-csp +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 diff --git a/windows/configuration/assigned-access/recommendations.md b/windows/configuration/assigned-access/recommendations.md new file mode 100644 index 00000000000..64b2ce4d5c1 --- /dev/null +++ b/windows/configuration/assigned-access/recommendations.md @@ -0,0 +1,173 @@ +--- +title: Assigned Access recommendations +description: Learn about the recommended kiosk and restricted user experience configuration options. +ms.topic: best-practice +ms.date: 03/11/2024 +--- + +# Assigned Access recommendations + +This article contains recommendations for devices configured with Assigned Access and Shell Launcher. Most of the recommendations include both group policy (GPO) and configuration service provider (CSP) settings to help you configure your kiosk devices. + +## Kiosk user account + +For kiosks devices located in public-facing environments, configure as a kiosk account a user account with the least privileges, such as a local, standard user account. Using an Active Directory user or Microsoft Entra user might allow an attacker to gain access to domain resources that are accessible to any domain accounts. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account. + +### Automatic sign-in + +Consider enabling *automatic sign-in* for your kiosk device. When the device restarts, from an update or power outage, you can configure the device to sign in with the Assigned Access account automatically. Ensure that policy settings applied to the device don't prevent automatic sign in from working as expected. For example, the policy settings [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname) prevents automatic sign-in from working. + +You can configure the Assigned Access and Shell Launcher XML files with an account to sign-in automatically. For more information, review the articles: + +- [Create an Assigned Access configuration XML file](configuration-file.md) +- [Create a Shell Launcher configuration file](shell-launcher/configuration-file.md) + +Alternatively, you can edit the Registry to have an account sign in automatically: + +| Path | Name | Type | Value | +|--|--|--|--| +| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `AutoAdminLogon` | REG_DWORD | 1 | +| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultUserName` | String | Set value as the account that you want signed in. | +| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultPassword` | String | Set value as the password for the account. | +| `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | `DefaultDomainName` | String | Set value for domain, only for domain accounts. For local accounts, don't add this key. | + +Once automatic sign-in is configured, reboot the device. The account will sign in automatically. + +> [!NOTE] +> If you are using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with `HideAutoLogonUI` enabled, you might experience a black screen when the user account password expires. Consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed). + +## Windows Update + +Configure your kiosk devices so that they're always up to date, without disrupting the user experience. Here are some policy settings to consider, to configure Windows Update for your kiosk devices: + +| Type | Path | Name/Description | +|--|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend) | Integer value that represents the end of active hours. For example, `22` represents 10PM | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart) | Integer value that represents the start of active hours. For example, `7` represents 7AM | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#allowautoupdate) | Integer value. Set to `3` - Auto download and schedule the install | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime) | Integer value. Specify the time for the device to install updates. For example, `23` represents 11PM | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Update/`[UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) | Integer value. Set to `2`: turn off all notifications, including restart warnings | +| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience | Display options for update notifications > Set the value to **2 - Turn off all notifications, including restart warnings** | +| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates | **4 - Auto download and schedule the install** > specify an install time that is outside the active hours | +| **GPO** | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Turn off autorestart for updates during active hours | Configure the start and end active hours, during which the kiosk device can't restart due to Windows Update | + +## Power settings + +You might want to prevent the kiosk device from going to sleep, or prevent users to shut down or restart the kiosk. Here are some options to consider: + +| Type | Path | Name/Description | +|--|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/`[HidePowerOptions](/windows/client-management/mdm/policy-csp-admx-startmenu#hidepoweroptions) | String. Set to `` | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`
    [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#shutdown_allowsystemtobeshutdownwithouthavingtologon) | Integer value. Set to `0` | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | String. Set to `` | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Integer. Set to `0` | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#SelectSleepButtonActionPluggedIn) | Integer. Set to `0` | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Power/`[StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | String. Set to `` | +| **GPO** | Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | **Enable** | +| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Power button action | Select the action: **Take no action** | +| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Button Settings\Select the Sleep button action | Select the action: **Take no action** | +| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Specify the system sleep timeout | Set the value to **0** seconds. | +| **GPO** | Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings\Turn off the display | Set the value to **0** seconds. | +| **GPO** | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on | **Disabled** | +| **GPO** | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system | Remove the users or groups from this policy. To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. | + +> [!NOTE] +> You can also disable the power button from the security options screen using a feature called *Custom Logon*. For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1]. + +## Keyboard shortcuts + +The following keyboard shortcuts aren't blocked for any user account that is configured with a restricted user experience: + +- Alt + F4 +- Alt + Tab +- Alt + Shift + Tab +- Ctrl + Alt + Delete + +You can use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the key combinations. Keyboard Filter settings apply to other standard accounts. + +### Accessibility shortcuts + +Assigned access doesn't change accessibility settings. Use *Keyboard Filter* to block the following key combinations that open accessibility features: + + | Key combination | Blocked behavior | + | --- | --- | + | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box | + | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box | + | WIN + U | Open the Settings app accessibility panel | + +> [!NOTE] +> If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). + +You can also disable the accessibility features and other options on the lock screen with [Custom Logon][WHW-1]. For example, to remove the Accessibility option, use the following registry key: + +| Path | Name | Type | Value | +|--|--|--|--| +| `HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon\BrandingNeutral` | `BrandingNeutral` | REG_DWORD | 8 | + +### Microsoft Edge shortcuts + +To disable certain [Microsoft Edge default shortcuts](/deployedge/edge-learnmore-configurable-edge-commands), you can use the [ConfigureKeyboardShortcuts](/deployedge/microsoft-edge-policies#configurekeyboardshortcuts) policy. + +## Choose an app for a kiosk experience + +To create a kiosk experience with Assigned Access, you can choose UWP apps or Microsoft Edge. However, some applications might not provide a good user experience when used as a kiosk. + +The following guidelines help you choose an appropriate Windows app for a kiosk experience: + +- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps) +- UWP app updates can sometimes change the Application User Model ID (AUMID) of the app. In such scenario, you must update the Assigned Access settings to execute the updated app, because Assigned Access uses the AUMID to determine the app to launch +- The app must be able to run above the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app +- Some apps can launch other apps. Assigned Access in kiosk mode prevents Windows apps from launching other apps. Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality +- Microsoft Edge includes support for kiosk mode. To learn more, see [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +- Don't select Windows apps that might expose information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access +- Some apps might require more configurations before they can be used appropriately in Assigned Access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote opens +- The kiosk profile is designed for public-facing kiosk devices. Use a local, nonadministrator account. If the device is connected to your organization network, using a domain or Microsoft Entra account could compromise confidential information + +When planning to deploy a kiosk or a restricted user experience, consider the following recommendations: + +- Evaluate all applications that users should use. If applications require user authentication, don't use a local or generic user account. Rather, target the group of users within the Assigned Access configuration file +- A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, certain policy settings that affect all nonadministrator users on the device. For a list of these policies, see [Assigned Access policy settings](policy-settings.md) + +### Develop your kiosk app + +Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). + +## Stop errors and recovery options + +When a stop error occurs, Windows displays a blue screen with a stop error code. You can replace the standard screen with a blank screen for OS errors. For more information, see [Configure system failure and recovery options](/troubleshoot/windows-client/performance/configure-system-failure-and-recovery-options). + +## Lock screen notifications + +Consider removing notifications from the lock screen to prevent users from seeing notifications when the device is locked. Here are some options to consider: + +| Type | Path | Name/Description | +|--|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/AboveLock/`[AllowToasts](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts)| Integer. Set to `0` | +| **GPO** | Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen | **Enabled**| + +## Troubleshooting and logs + +When testing Assigned Access, it can be useful to enable logging to help you troubleshoot issues. Logs can help you identify configuration and runtime issues. You can enable the following log: **Applications and Services Logs** > **Microsoft** > **Windows** > **AssignedAccess** > **Operational**. + +The following registry keys contain the Assigned Access configurations: + +- `HKLM\Software\Microsoft\Windows\AssignedAccessConfiguration` +- `HKLM\Software\Microsoft\Windows\AssignedAccessCsp` + +The following registry key contains the configuration for each user with an Assigned Access policy: + +- `HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration` + +For more information about troubleshooting kiosk issues, see [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting). + +## Next steps + +> [!div class="nextstepaction"] +> Learn how to create an XML file to configure Assigned Access: +> +> [Create an Assigned Access configuration file](configuration-file.md) + + + +[WHW-1]: /windows-hardware/customize/enterprise/custom-logon +[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter diff --git a/windows/configuration/assigned-access/shell-launcher/configuration-file.md b/windows/configuration/assigned-access/shell-launcher/configuration-file.md new file mode 100644 index 00000000000..d63efdb85bc --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/configuration-file.md @@ -0,0 +1,291 @@ +--- +title: Create a Shell Launcher configuration file +description: Learn how to create an XML file to configure a device with Shell Launcher. +ms.date: 02/12/2024 +ms.topic: how-to +--- + +# Create a Shell Launcher configuration file + +To configure Shell Launcher, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Shell Launcher XML Schema Definition (XSD)](xsd.md). + +This article describes how to configure a Shell Launcher configuration file, including practical examples. + +Let's start by looking at the basic structure of the XML file. A Shell Launcher configuration file contains: + +- One or multiple `profiles`. Each `profile` defines: + - the application that replaces the standard Windows shell (`Explorer.exe`), which is executed when a user signs in + - the default action to take when the application exits, and actions when the application exits with a specific return code +- One or multiple `configs`. Each `config` associates a user account to a `profile` + +> [!NOTE] +> A profile has no effect if it's not associated to a user account. + +Here's a basic example of a Shell Launcher configuration file, with one profile and one config: + +```xml + + + + + + + + + + + + + +``` + +## Versioning + +The Shell Launcher configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces: + +| Version | Alias | Namespace | +|-|-|-| +|Windows 10|`V2`|http://schemas.microsoft.com/ShellLauncher/2019/Configuration| +|Windows 10|default|http://schemas.microsoft.com/ShellLauncher/2018/Configuration| + +To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Note the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline. + +```xml + + + + + + + + + + + + + + +``` + +Here you can find the [Shell Launcher XML Schema Definitions (XSDs)](xsd.md). + +## Profiles + +A configuration file can contain one or more profiles. Each profile has a unique identifier `Profile Id` and, optionally, a `Name`. For example: + +```xml + + + + + +``` + +> [!TIP] +> The `Profile Id` must be unique within the XML file. You can generate a GUID with the PowerShell cmdlet `New-Guid`. + +You can define a `Defaultprofile` that is used when no other profile is associated to a user account. This ensures that every user using the device uses the same application. Example: + +```xml + + + + + +``` + +### Shell + +Each profile defines a `Shell` element, which contains details about the application to execute. The `Shell` element has the following properties: + +| Property| Description | Details | +|-|-|-| +|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../../store/find-aumid.md).
    - For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. | +|`V2:AppType`| Defines the type of application. |Allowed values are `Desktop` and `UWP`.| +|`V2:AllAppsFullScreen` | Boolean value that defines if all applications are executed in full screen. |- When set to `true`, Shell Launcher runs every app in full screen, or maximized for desktop apps.
    - When set to `false` or not set, only the custom shell app runs in full screen; other apps launched by the user run in windowed mode.| + +Example: + +```xml + + + + + +``` + +In the next example, the Weather app is executed in full screen. + +```xml + + + + + + + + + + + +``` + +In the next example, Microsoft Edge is executed in full screen, opening a website. The website is reloaded after 2 minutes of inactivity. + +```xml + + + + + +``` + +#### ReturnCodeActions + +Shell Launcher defines four actions to handle app exits. You can customize Shell Launcher and use the actions based on different exit code. Here are the `ReturnCodeActions` enums: + +- `RestartShell` +- `RestartDevice` +- `ShutdownDevice` +- `DoNothing` + +The actions can be used as default action, or mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to learn how to use exit codes with Shell Launcher WMI. + +You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When an app exits, and if the exit code isn't found in the custom action mapping, or there's no default action defined, nothing happens. For this reason, you should at least define `DefaultAction`. + +Example: + +```xml + + + + + + + + + + + +``` + +## Configs + +Under `Configs`, define one or more user accounts and their association with a profile. + +Individual accounts are specified using ``. + +> [!IMPORTANT] +> Before applying the Shell Launcher configuration, make sure the specified user account is available on the device, otherwise it fails. +> +> For both domain and Microsoft Entra accounts, as long as the device is Active Directory joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for Shell Launcher. + +### Local user + +Local account can be entered as `devicename\user`, `.\user`, or just `user`. + +```xml + + + + +``` + +### Active Directory user + +Domain accounts must be entered using the format `domain\samAccountName`. + +```xml + + + + +``` + +### Microsoft Entra user + +Microsoft Entra accounts must be specified with the format: `AzureAD\{UPN}`. `AzureAD` must be provided *as is*, then follow with the Microsoft Entra user principal name (UPN). + +```xml + + + + +``` + +When the user account signs in, the associated Shell Launcher profile is applied, loading the application specified in the profile. + +### Autologon account + +With ``, Shell Launcher creates and manages a user account to automatically sign in after a device restarts. The account is a local standard user named `Kiosk`. + +Example: + +```xml + + + + + + + + + + + + + + + + + +``` + +## Example + +Here's a complete example of a Shell Launcher configuration file, with two profiles and three configs: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md new file mode 100644 index 00000000000..eb3b1a1b04f --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations +Content-Type: application/json + +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Shell Launcher", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "ShellLauncher", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/ShellLauncher", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ], } +``` diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md new file mode 100644 index 00000000000..c783de00f63 --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md @@ -0,0 +1,43 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```PowerShell +$shellLauncherConfiguration = @" + + + + + + + + + + + + + + + + + + + + + + + + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) +$obj = Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md new file mode 100644 index 00000000000..80e9dd0bb8d --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md @@ -0,0 +1,35 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/05/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md new file mode 100644 index 00000000000..2b0ae488ab8 --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/index.md @@ -0,0 +1,131 @@ +--- +title: What is Shell Launcher? +description: Learn how to configure devices with Shell Launcher. +ms.date: 06/18/2024 +ms.topic: overview +--- + +# What is Shell Launcher? + +Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app. + +Practical examples include: + +- Public browsing +- Interactive digital signage +- ATMs + +Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand. + +With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to: + +- Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune +- Group policy (GPO) +- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) + +Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Windows kiosks and restricted user experiences](../index.md). + +[!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)] + +## Limitations + +Here are some limitations to consider when using Shell Launcher: + +- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image +- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell + +## Configure a device with Shell Launcher + +The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options: + +- A Mobile Device Management (MDM) solution, like Microsoft Intune +- Provisioning packages +- The MDM Bridge WMI Provider + +To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md). + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher` +- **Value:** content of the XML configuration file + +Assign the policy to a group that contains as members the devices that you want to configure. + +#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `SMISettings/ShellLauncher` +- **Value:** depends on specific settings + +[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)] + +```PowerShell +$shellLauncherConfiguration = @" + +# content of the XML configuration file + +"@ + +$namespaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) +$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue +if($cimSetError) { + Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" + Write-Error -ErrorRecord $cimSetError[0] + + $timeout = New-TimeSpan -Seconds 30 + $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + do{ + $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore + } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available + + if($events.Count) { + $events | ForEach-Object { + Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" + } + } else { + Write-Warning "Timed-out attempting to retrieve event logs..." + } + + Exit 1 +} + +Write-Output "Successfully applied Shell Launcher configuration" +``` + +[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)] + +--- + +> [!TIP] +> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md). + +## User experience + +After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in. + +Depending on your configuration, you can have a user to automatically sign in to the device. + +## Next steps + +> [!div class="nextstepaction"] +> Learn how to configure the Shell Launcher XML file: +> +> [Create a Shell Launcher configuration file](configuration-file.md) + + + +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[MEM-2]: /mem/intune/fundamentals/licenses#device-only-licenses +[WIN-3]: /windows/client-management/mdm/assignedaccess-csp diff --git a/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md b/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md new file mode 100644 index 00000000000..f217d88363e --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md @@ -0,0 +1,69 @@ +--- +title: "Quickstart: configure a kiosk experience with Shell Launcher" +description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO). +ms.topic: quickstart +ms.date: 02/05/2024 +--- + +# Quickstart: configure a kiosk experience with Shell Launcher + +This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Shell Launcher. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, and PowerShell. While different solutions are used, the configuration settings and results are the same. + +The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows. + +## Prerequisites + +>[!div class="checklist"] +>Here's a list of requirements to complete this quickstart: +> +>- A Windows Enterprise or Education device +>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM +>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell + +## Configure a kiosk device + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +> [!TIP] +> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags. +> +> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. + +[!INCLUDE [quickstart-intune](includes/quickstart-intune.md)] + +Assign the policy to a group that contains as members the devices that you want to configure. + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3]. + +- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher` +- **Value:** + +[!INCLUDE [quickstart-xml](includes/quickstart-xml.md)] + +#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)] + +[!INCLUDE [quickstart-ps](includes/quickstart-ps.md)] + +[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)] + +--- + +## User experience + +After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge. + +## Next steps + +> [!div class="nextstepaction"] +> Learn more how to create a Shell Launcher configuration file: +> +> [Create a Shell Launcher configuration file](configuration-file.md) + + + +[WIN-3]: /windows/client-management/mdm/assignedaccess-csp +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 diff --git a/windows/configuration/assigned-access/shell-launcher/toc.yml b/windows/configuration/assigned-access/shell-launcher/toc.yml new file mode 100644 index 00000000000..047a8acdb91 --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/toc.yml @@ -0,0 +1,9 @@ +items: +- name: What is Shell Launcher? + href: index.md +- name: "Quickstart: Configure a kiosk with Shell Launcher" + href: quickstart-kiosk.md +- name: Create a Shell Launcher configuration file + href: configuration-file.md +- name: Shell Launcher XSD + href: xsd.md diff --git a/windows/configuration/assigned-access/shell-launcher/xsd.md b/windows/configuration/assigned-access/shell-launcher/xsd.md new file mode 100644 index 00000000000..ef624ae4344 --- /dev/null +++ b/windows/configuration/assigned-access/shell-launcher/xsd.md @@ -0,0 +1,193 @@ +--- +title: Shell Launcher XML Schema Definition (XSD) +description: Shell Launcher XSD reference article. +ms.topic: reference +ms.date: 02/15/2024 +--- + +# Shell Launcher XML Schema Definition (XSD) + +This reference article contains the latest Shell Launcher XML schema definition (XSD) and the XSD additions for each version of Windows. + +## Shell Launcher XSD + +Here's the latest Shell Launcher XSD, introduced in Windows 11: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Windows 10, version 1903 additions + +In Windows 10, version 1903, Shell Launcher introduced the support of both UWP and desktop apps as the custom shell. + +Here's the Shell Launcher XSD for the features added in Windows 10, version 1903: + +```xml + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/assigned-access/toc.yml b/windows/configuration/assigned-access/toc.yml new file mode 100644 index 00000000000..a80a14dd6a0 --- /dev/null +++ b/windows/configuration/assigned-access/toc.yml @@ -0,0 +1,33 @@ +items: +- name: Overview + href: index.md +- name: Assigned Access + items: + - name: What is Assigned Access? + href: overview.md + - name: Quickstarts + items: + - name: Configure a kiosk with Assigned Access + href: quickstart-kiosk.md + - name: Configure a restricted user experience with Assigned Access + href: quickstart-restricted-user-experience.md + - name: Create an Assigned Access configuration file + href: configuration-file.md + - name: Reference + items: + - name: Assigned Access XSD + href: xsd.md + - name: Assigned Access XML examples + href: examples.md + - name: Assigned Access policy settings + href: policy-settings.md +- name: Shell Launcher + href: shell-launcher/toc.yml +- name: Recommendations + href: recommendations.md +- name: Assigned Access CSP 🔗 + href: /windows/client-management/mdm/assignedaccess-csp +- name: Troubleshoot 🔗 + href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting +- name: Configure Microsoft Edge kiosk mode 🔗 + href: /deployedge/microsoft-edge-configure-kiosk-mode \ No newline at end of file diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md new file mode 100644 index 00000000000..5cd75dccbef --- /dev/null +++ b/windows/configuration/assigned-access/xsd.md @@ -0,0 +1,361 @@ +--- +title: Assigned Access XML Schema Definition (XSD) +description: Assigned Access XSD reference article. +ms.topic: reference +ms.date: 04/08/2024 +--- + +# Assigned Access XML Schema Definition (XSD) + +This reference article contains the latest Assigned Access XML schema definition (XSD) and the XSD additions for each version of Windows. + +## Assigned Access XSD + +Here's the latest Assigned Access XSD, introduced in Windows 11: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Windows 11, version 22H2 additions + +Here's the Assigned Access XSD for the features added in Windows 11: + +```xml + + + + + +``` + +## Windows 11, version 21H2 additions + +Here's the Assigned Access XSD for the features added in Windows 11, version 21H2: + +```xml + + + + + + + + + + + + +``` + +## Windows 10, version 1909 additions + +Here are the Assigned Access XSDs for the features added in Windows 10, version 1909: + +```xml + + + + + + + + + + + + + + + + + + + + + + +``` + +```xml + + + + + + + + + + + + + + + + +``` + +## Windows 10, version 1809 additions + +Here's the Assigned Access XSD for the features added in Windows 10, version 1809: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md index 88c77810eb4..8fcf389cf7c 100644 --- a/windows/configuration/cellular/provisioning-apn.md +++ b/windows/configuration/cellular/provisioning-apn.md @@ -1,47 +1,44 @@ --- -title: Configure cellular settings for tablets and PCs -description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. +title: Configure cellular settings +description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles. ms.topic: concept-article -ms.date: 04/13/2018 +ms.date: 04/23/2024 --- -# Configure cellular settings for tablets and PCs +# Configure cellular settings ->**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) +This article describes how to configure cellular settings for devices that have a cellular modem using a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined in the provisioning package, without needing to connect manually. -Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. - -For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. +For users who work in different locations, you can configure one APN to connect when the users are at work, and a different APN when the users are traveling. ## Prerequisites -- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) -- Tablet or PC with built-in cellular modem or plug-in USB modem dongle +- Device with built-in cellular modem or plug-in USB modem dongle - [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) -- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) +- APN (the address that the device uses to connect to the Internet when using the cellular data connection) ## How to configure cellular settings in a provisioning package -1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. -1. Enter a name for your project, and then click **Next**. -1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. -1. Go to **Runtime settings > Connections > EnterpriseAPN**. -1. Enter a name for the connection, and then click **Add**. +1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option +1. Enter a name for your project, and then select **Next** +1. Select **All Windows desktop editions**, select **Next**, and then select **Finish** +1. Go to **Runtime settings > Connections > EnterpriseAPN** +1. Enter a name for the connection, and then select **Add** ![Example of APN connection name.](images/apn-add.png) -1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. +1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection ![settings for new connection.](images/apn-add-details.png) -1. The following table describes the settings available for the connection. +1. The following table describes the settings available for the connection | Setting | Description | | --- | --- | - | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. | + | AlwaysOn | By default, the Connection Manager automatically attempts to connect to the APN when a connection is available. You can disable the setting. | | APNName | Enter the name of the APN. | | AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. | - | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. | + | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attached APN isn't only used as the Internet APN. | | Enabled | By default, the connection is enabled. You can change this setting. | | IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. | | IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. | @@ -55,22 +52,22 @@ For users who work in different locations, you can configure one APN to connect ## Confirm the settings -After you apply the provisioning package, you can confirm that the settings have been applied. +After you apply the provisioning package, you can confirm that the settings are applied. -1. On the configured device, open a command prompt as an administrator. +1. On the configured device, open a command prompt as an administrator 1. Run the following command: ```cmd netsh mbn show profiles ``` -1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: +1. The command lists the mobile broadband profiles. Using the **Name** for the listed mobile broadband profile, run: ```cmd netsh mbn show profiles name="name" ``` - This command will list details for that profile, including Access Point Name. + This command lists the details for that profile, including Access Point Name. Alternatively, you can also use the command: @@ -84,4 +81,4 @@ From the results of that command, get the name of the cellular/mobile broadband netsh mbn show connection interface="name" ``` -The result of that command will show details for the cellular interface, including Access Point Name. +The result of that command shows the details for the cellular interface, including Access Point Name. diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 6bb76e2b5ce..5374491680f 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -43,8 +43,6 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.subservice": "itpro-configure", "ms.service": "windows-client", - "ms.author": "paoloma", - "author": "paolomatarazzo", "manager": "aaroncz", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -54,12 +52,11 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Configure Windows", "contributors_to_exclude": [ "dstrome2", - "rjagiewich", + "rjagiewich", "American-Dipper", - "claydetels19", + "claydetels19", "jborsecnik", "v-stchambers", "shdyas", @@ -74,40 +71,66 @@ ] }, "fileMetadata": { - "feedback_system": { - "ue-v/**/*.*": "None" + "author":{ + "accessibility//**/*.md": "paolomatarazzo", + "accessibility//**/*.yml": "paolomatarazzo", + "assigned-access//**/*.md": "paolomatarazzo", + "assigned-access//**/*.yml": "paolomatarazzo", + "cellular//**/*.md": "paolomatarazzo", + "cellular//**/*.yml": "paolomatarazzo", + "lock-screen//**/*.md": "paolomatarazzo", + "lock-screen//**/*.yml": "paolomatarazzo", + "provisioning-packages//**/*.md": "vinaypamnani-msft", + "provisioning-packages//**/*.yml": "vinaypamnani-msft", + "shared-pc//**/*.md": "paolomatarazzo", + "shared-pc//**/*.yml": "paolomatarazzo", + "start//**/*.md": "paolomatarazzo", + "start//**/*.yml": "paolomatarazzo", + "store//**/*.md": "paolomatarazzo", + "store//**/*.yml": "paolomatarazzo", + "taskbar//**/*.md": "paolomatarazzo", + "taskbar//**/*.yml": "paolomatarazzo", + "tips//**/*.md": "paolomatarazzo", + "tips//**/*.yml": "paolomatarazzo", + "wcd//**/*.md": "vinaypamnani-msft", + "wcd//**/*.yml": "vinaypamnani-msft" }, - "author": { - "wcd//**/*.md": "aczechowski", - "wcd//**/*.yml": "aczechowski", - "ue-v//**/*.md": "aczechowski", - "ue-v//**/*.yml": "aczechowski" - }, - "ms.author": { - "wcd//**/*.md": "aaroncz", - "wcd//**/*.yml": "aaroncz", - "ue-v//**/*.md": "aaroncz", - "ue-v//**/*.yml": "aaroncz" + "ms.author":{ + "accessibility//**/*.md": "paoloma", + "accessibility//**/*.yml": "paoloma", + "assigned-access//**/*.md": "paoloma", + "assigned-access//**/*.yml": "paoloma", + "cellular//**/*.md": "paoloma", + "cellular//**/*.yml": "paoloma", + "lock-screen//**/*.md": "paoloma", + "lock-screen//**/*.yml": "paoloma", + "provisioning-packages//**/*.md": "vinpa", + "provisioning-packages//**/*.yml": "vinpa", + "shared-pc//**/*.md": "paoloma", + "shared-pc//**/*.yml": "paoloma", + "start//**/*.md": "paoloma", + "start//**/*.yml": "paoloma", + "store//**/*.md": "paoloma", + "store//**/*.yml": "paoloma", + "taskbar//**/*.md": "paoloma", + "taskbar//**/*.yml": "paoloma", + "tips//**/*.md": "paoloma", + "tips//**/*.yml": "paoloma", + "wcd//**/*.md": "vinpa", + "wcd//**/*.yml": "vinpa" }, "ms.reviewer": { "kiosk//**/*.md": "sybruckm", "start//**/*.md": "ericpapa" }, "ms.collection": { - "wcd//**/*.md": "must-keep", - "ue-v//**/*.md": [ - "must-keep", - "tier3" - ] + "wcd//**/*.md": "must-keep" }, "appliesto": { "*/**/*.md": [ "✅ Windows 11", "✅ Windows 10" ], - "ue-v//**/*.md": [ - "✅ Windows 10" - ], "wcd//**/*.md": "" } }, diff --git a/windows/configuration/images/icons/allapps.svg b/windows/configuration/images/icons/allapps.svg new file mode 100644 index 00000000000..dbcdff62683 --- /dev/null +++ b/windows/configuration/images/icons/allapps.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/certificate.svg b/windows/configuration/images/icons/certificate.svg new file mode 100644 index 00000000000..956bfc1e427 --- /dev/null +++ b/windows/configuration/images/icons/certificate.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/cmd.svg b/windows/configuration/images/icons/cmd.svg new file mode 100644 index 00000000000..e712a4fff58 --- /dev/null +++ b/windows/configuration/images/icons/cmd.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/windows/configuration/images/icons/control-panel.svg b/windows/configuration/images/icons/control-panel.svg new file mode 100644 index 00000000000..6eebbe9be8c --- /dev/null +++ b/windows/configuration/images/icons/control-panel.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/windows/configuration/images/icons/explorer.svg b/windows/configuration/images/icons/explorer.svg new file mode 100644 index 00000000000..070605d32b6 --- /dev/null +++ b/windows/configuration/images/icons/explorer.svg @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/configuration/images/icons/face.svg b/windows/configuration/images/icons/face.svg new file mode 100644 index 00000000000..a4fa1ca0dfb --- /dev/null +++ b/windows/configuration/images/icons/face.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/fingerprint.svg b/windows/configuration/images/icons/fingerprint.svg new file mode 100644 index 00000000000..2494d65659a --- /dev/null +++ b/windows/configuration/images/icons/fingerprint.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/folder.svg b/windows/configuration/images/icons/folder.svg new file mode 100644 index 00000000000..468edaf9616 --- /dev/null +++ b/windows/configuration/images/icons/folder.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/group-policy.svg b/windows/configuration/images/icons/group-policy.svg new file mode 100644 index 00000000000..e6ec2d2c2e5 --- /dev/null +++ b/windows/configuration/images/icons/group-policy.svg @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/windows/configuration/images/icons/information.svg b/windows/configuration/images/icons/information.svg index bc692eabb98..4a33944103f 100644 --- a/windows/configuration/images/icons/information.svg +++ b/windows/configuration/images/icons/information.svg @@ -1,3 +1,3 @@ - - - \ No newline at end of file + + + diff --git a/windows/configuration/images/icons/insider.svg b/windows/configuration/images/icons/insider.svg new file mode 100644 index 00000000000..fa002fa2a1a --- /dev/null +++ b/windows/configuration/images/icons/insider.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/intune.svg b/windows/configuration/images/icons/intune.svg index 6e0d938aed8..22148b48fb4 100644 --- a/windows/configuration/images/icons/intune.svg +++ b/windows/configuration/images/icons/intune.svg @@ -1,24 +1,23 @@ - - - - - - - - - - - - - - - - Icon-intune-329 - - - - - - - - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/configuration/images/icons/iris.svg b/windows/configuration/images/icons/iris.svg new file mode 100644 index 00000000000..465902e0b39 --- /dev/null +++ b/windows/configuration/images/icons/iris.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/kiosk.svg b/windows/configuration/images/icons/kiosk.svg new file mode 100644 index 00000000000..f975677d19d --- /dev/null +++ b/windows/configuration/images/icons/kiosk.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/lock.svg b/windows/configuration/images/icons/lock.svg new file mode 100644 index 00000000000..ccd1850fbbb --- /dev/null +++ b/windows/configuration/images/icons/lock.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/notification.svg b/windows/configuration/images/icons/notification.svg new file mode 100644 index 00000000000..0da0f9814dc --- /dev/null +++ b/windows/configuration/images/icons/notification.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/package.svg b/windows/configuration/images/icons/package.svg new file mode 100644 index 00000000000..99c1148922c --- /dev/null +++ b/windows/configuration/images/icons/package.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/pin-code.svg b/windows/configuration/images/icons/pin-code.svg new file mode 100644 index 00000000000..a5bfdc4148b --- /dev/null +++ b/windows/configuration/images/icons/pin-code.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/pin.svg b/windows/configuration/images/icons/pin.svg new file mode 100644 index 00000000000..64426df32ce --- /dev/null +++ b/windows/configuration/images/icons/pin.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/power.svg b/windows/configuration/images/icons/power.svg new file mode 100644 index 00000000000..e74606b72c1 --- /dev/null +++ b/windows/configuration/images/icons/power.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/powershell.svg b/windows/configuration/images/icons/powershell.svg index b23a99c61d9..3d90e2ff6fe 100644 --- a/windows/configuration/images/icons/powershell.svg +++ b/windows/configuration/images/icons/powershell.svg @@ -1,9 +1,9 @@ - - + + - + - + diff --git a/windows/configuration/images/icons/registry.svg b/windows/configuration/images/icons/registry.svg new file mode 100644 index 00000000000..667bce74384 --- /dev/null +++ b/windows/configuration/images/icons/registry.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/windows/configuration/images/icons/rocket.svg b/windows/configuration/images/icons/rocket.svg new file mode 100644 index 00000000000..ee39fb57aab --- /dev/null +++ b/windows/configuration/images/icons/rocket.svg @@ -0,0 +1,155 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/configuration/images/icons/sc.svg b/windows/configuration/images/icons/sc.svg new file mode 100644 index 00000000000..d1924ffebbd --- /dev/null +++ b/windows/configuration/images/icons/sc.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/settings-app.svg b/windows/configuration/images/icons/settings-app.svg new file mode 100644 index 00000000000..d62d13fb543 --- /dev/null +++ b/windows/configuration/images/icons/settings-app.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/configuration/images/icons/settings.svg b/windows/configuration/images/icons/settings.svg index 9ec19d16aa6..36da6757f2b 100644 --- a/windows/configuration/images/icons/settings.svg +++ b/windows/configuration/images/icons/settings.svg @@ -1,19 +1,3 @@ - - - - - - - - - - - - - - - - - + diff --git a/windows/configuration/images/icons/start.svg b/windows/configuration/images/icons/start.svg new file mode 100644 index 00000000000..a3e6c3d8e89 --- /dev/null +++ b/windows/configuration/images/icons/start.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/subscription.svg b/windows/configuration/images/icons/subscription.svg new file mode 100644 index 00000000000..ffa73c424e9 --- /dev/null +++ b/windows/configuration/images/icons/subscription.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/taskbar.svg b/windows/configuration/images/icons/taskbar.svg new file mode 100644 index 00000000000..1a5a54d9800 --- /dev/null +++ b/windows/configuration/images/icons/taskbar.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/touch.svg b/windows/configuration/images/icons/touch.svg new file mode 100644 index 00000000000..886e616e567 --- /dev/null +++ b/windows/configuration/images/icons/touch.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/user.svg b/windows/configuration/images/icons/user.svg new file mode 100644 index 00000000000..76c0b2ce5d0 --- /dev/null +++ b/windows/configuration/images/icons/user.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/vsc.svg b/windows/configuration/images/icons/vsc.svg new file mode 100644 index 00000000000..cbf23de89ef --- /dev/null +++ b/windows/configuration/images/icons/vsc.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/configuration/images/icons/windows-os.svg b/windows/configuration/images/icons/windows-os.svg deleted file mode 100644 index da64baf975a..00000000000 --- a/windows/configuration/images/icons/windows-os.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index cf169d04cbe..fa1a297ecf7 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -11,7 +11,7 @@ metadata: author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 02/06/2024 + ms.date: 04/25/2024 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -21,40 +21,66 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Customize the Windows Start menu layout - url: start/customize-start-menu-layout-windows-11.md - - text: Customize the Windows taskbar - url: taskbar/customize-taskbar-windows-11.md - - text: Configure Windows Spotlight on the lock screen - url: lock-screen/windows-spotlight.md + - text: Configure the Start menu + url: start/index.md + - text: Customize the Taskbar + url: taskbar/index.md + - text: Configure Windows spotlight + url: windows-spotlight/index.md - text: Accessibility information for IT pros url: accessibility/index.md + - linkListType: reference + links: + - text: Start policy settings + url: start/policy-settings.md - - title: Configure a Windows kiosk + - title: Kiosks and restricted user experiences linkLists: + - linkListType: concept + links: + - text: What is Assigned Access? + url: assigned-access/overview.md + - text: What is Shell Launcher? + url: assigned-access/shell-launcher/index.md - linkListType: how-to-guide links: - - text: Configure kiosks and digital signs - url: kiosk/kiosk-methods.md - - text: Set up a single-app kiosk - url: kiosk/kiosk-single-app.md - - text: Set up a multi-app kiosk for Windows 11 - url: kiosk/lock-down-windows-11-to-specific-apps.md - - text: Manage multi-user and guest devices - url: shared-devices-concepts.md + - text: Configure kiosks and restricted user experiences + url: assigned-access/index.md + - linkListType: quickstart + links: + - text: Configure a kiosk with Assigned Access + url: assigned-access/quickstart-kiosk.md + - text: Configure a kiosk with Shell Launcher + url: assigned-access/shell-launcher/quickstart-kiosk.md + - text: Configure a restricted user experience with Assigned Access + url: assigned-access/quickstart-restricted-user-experience.md + - linkListType: reference + links: + - text: Assigned Access XML Schema Definition (XSD) + url: assigned-access/xsd.md + - text: Shell Launcher XML Schema Definition (XSD) + url: assigned-access/shell-launcher/xsd.md - title: Configure shared devices linkLists: + - linkListType: concept + links: + - text: Shared devices concepts + url: /windows/configuration/shared-pc/shared-devices-concepts - linkListType: how-to-guide links: - - text: Manage multi-user and guest devices - url: shared-devices-concepts.md + - text: Configure a shared or guest Windows device + url: /windows/configuration/shared-pc/set-up-shared-or-guest-pc + - linkListType: reference + links: + - text: Shared PC technical reference + url: /windows/configuration/shared-pc/shared-pc-technical - title: Use provisioning packages linkLists: - linkListType: how-to-guide links: - - text: Provisioning packages for Windows + - text: Provisioning packages overview url: provisioning-packages/provisioning-packages.md - text: Install Windows Configuration Designer url: provisioning-packages/provisioning-install-icd.md diff --git a/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md deleted file mode 100644 index 862316c47b5..00000000000 --- a/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Find the Application User Model ID of an installed app -description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Find the Application User Model ID of an installed app - -To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry. - -## To find the AUMID by using Windows PowerShell - -To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command: - -```powershell -Get-StartApps -``` - -To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands: - -```powershell -$installedapps = Get-AppxPackage - -$aumidList = @() -foreach ($app in $installedapps) -{ - foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) - { - $aumidList += $app.packagefamilyname + "!" + $id - } -} - -$aumidList -``` - -You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. - -## To find the AUMID by using File Explorer - -To get the names and AUMIDs for all apps installed for the current user, perform the following steps: - -1. Open **Run**, enter **shell:Appsfolder**, and select **OK**. -1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**. -1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) - -![Image of the Choose Details options.](images/aumid-file-explorer.png) - -## To find the AUMID of an installed app for the current user by using the registry - -Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. - -At a command prompt, type the following command: - -```cmd -reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ" -``` - -### Example to get AUMIDs of the installed apps for the specified user - -The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. - -```powershell -function listAumids( $userAccount ) { - - if ($userAccount -eq "allusers") - { - # Find installed packages for all accounts. Must be run as an administrator in order to use this option. - $installedapps = Get-AppxPackage -allusers - } - elseif ($userAccount) - { - # Find installed packages for the specified account. Must be run as an administrator in order to use this option. - $installedapps = Get-AppxPackage -user $userAccount - } - else - { - # Find installed packages for the current account. - $installedapps = Get-AppxPackage - } - - $aumidList = @() - foreach ($app in $installedapps) - { - foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) - { - $aumidList += $app.packagefamilyname + "!" + $id - } - } - - return $aumidList -} -``` - -The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it. - -```powershell -# Get a list of AUMIDs for the current account: -listAumids - -# Get a list of AUMIDs for an account named "CustomerAccount": -listAumids("CustomerAccount") - -# Get a list of AUMIDs for all accounts on the device: -listAumids("allusers") -``` - -### Example to get the AUMID of any application in the Start menu - -The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. - -```powershell -function Get-AppAUMID { -param ( -[string]$AppName -) -$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() -if ($AppName){ - $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} - if ($Result){ - Return $Result - } - else {"Unable to locate {0}" -f $AppName} -} -else { - $Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}} - Return $Result -} -} -``` - -The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. - -```powershell -# Get the AUMID for OneDrive -Get-AppAUMID -AppName OneDrive - -# Get the AUMID for Microsoft Word -Get-AppAUMID -AppName Word - -# List all apps and their AUMID in the Start menu -Get-AppAUMID -``` diff --git a/windows/configuration/kiosk/guidelines-for-assigned-access-app.md b/windows/configuration/kiosk/guidelines-for-assigned-access-app.md deleted file mode 100644 index 4ed078e5e1a..00000000000 --- a/windows/configuration/kiosk/guidelines-for-assigned-access-app.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: Guidelines for choosing an app for assigned access -description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Guidelines for choosing an app for assigned access (kiosk mode) - -Use assigned access to restrict users to use only one application, so that the device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. - -The following guidelines may help you choose an appropriate Windows app for your assigned access experience. - -## General guidelines - -- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps). -- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. -- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps. - -## Guidelines for Windows apps that launch other apps - -Some apps can launch other apps. Assigned access prevents Windows apps from launching other apps. - -Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality. - -## Guidelines for web browsers - -Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) - -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. - ->[!NOTE] ->Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. -> ->Kiosk Browser can't access intranet websites. - -**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. - -1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) -1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps) -1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions. - ->[!NOTE] ->If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). - -### Kiosk Browser settings - -| Kiosk Browser settings | Use this setting to | -|--|--| -| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. | -| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

    If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. | -| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. | -| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. | -| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. | -| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. | -| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. | - -To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: - -1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer -1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18) -1. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com) -1. Save the XML file -1. Open the project again in Windows Configuration Designer -1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed - -> [!TIP] -> -> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information: -> -> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton -> - Data type: Integer -> - Value: 1 - -#### Rules for URLs in Kiosk Browser settings - -Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). - -URLs can include: - -- A valid port value from 1 to 65,535. -- The path to the resource. -- Query parameters. - -More guidelines for URLs: - -- If a period precedes the host, the policy filters exact host matches only -- You can't use user:pass fields -- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence -- The policy searches wildcards (*) last -- The optional query is a set of key-value and key-only tokens delimited by '&' -- Key-value tokens are separated by '=' -- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching - -### Examples of blocked URLs and exceptions - -The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. - -| Blocked URL rule | Block URL exception rule | Result | -|--|--|--| -| `*` | `contoso.com`
    `fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. | -| `contoso.com` | `mail.contoso.com`
    `.contoso.com`
    `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. | -| `youtube.com` | `youtube.com/watch?v=v1`
    `youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). | - -The following table gives examples for blocked URLs. - -| Entry | Result | -|--|--| -| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com | -| `https://*` | Blocks all HTTPS requests to any domain. | -| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com | -| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. | -| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. | -| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. | -| `*:8080` | Blocks all requests to port 8080. | -| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | -| `192.168.1.2` | Blocks requests to 192.168.1.1. | -| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. | - -### Other browsers - -You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: - -- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) -- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView) -- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) - -## Secure your information - -Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. - -## App configuration - -Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. - -Check the guidelines published by your selected app and set up accordingly. - -## Develop your kiosk app - -Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. - -Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). - -## Test your assigned access experience - -The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. diff --git a/windows/configuration/kiosk/images/account-management-details.PNG b/windows/configuration/kiosk/images/account-management-details.PNG deleted file mode 100644 index e4307d8f7b7..00000000000 Binary files a/windows/configuration/kiosk/images/account-management-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/add-applications-details.PNG b/windows/configuration/kiosk/images/add-applications-details.PNG deleted file mode 100644 index 2efd3483aed..00000000000 Binary files a/windows/configuration/kiosk/images/add-applications-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/add-certificates-details.PNG b/windows/configuration/kiosk/images/add-certificates-details.PNG deleted file mode 100644 index 78cd783282e..00000000000 Binary files a/windows/configuration/kiosk/images/add-certificates-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/apprule.png b/windows/configuration/kiosk/images/apprule.png deleted file mode 100644 index ec5417849af..00000000000 Binary files a/windows/configuration/kiosk/images/apprule.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/appwarning.png b/windows/configuration/kiosk/images/appwarning.png deleted file mode 100644 index 877d8afebd0..00000000000 Binary files a/windows/configuration/kiosk/images/appwarning.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/aumid-file-explorer.png b/windows/configuration/kiosk/images/aumid-file-explorer.png deleted file mode 100644 index 87bc7166a38..00000000000 Binary files a/windows/configuration/kiosk/images/aumid-file-explorer.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/auto-signin.png b/windows/configuration/kiosk/images/auto-signin.png deleted file mode 100644 index 260376199ec..00000000000 Binary files a/windows/configuration/kiosk/images/auto-signin.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/enable-assigned-access-log.png b/windows/configuration/kiosk/images/enable-assigned-access-log.png deleted file mode 100644 index d16f04c43a4..00000000000 Binary files a/windows/configuration/kiosk/images/enable-assigned-access-log.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/finish-details.png b/windows/configuration/kiosk/images/finish-details.png deleted file mode 100644 index 727efac696f..00000000000 Binary files a/windows/configuration/kiosk/images/finish-details.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/genrule.png b/windows/configuration/kiosk/images/genrule.png deleted file mode 100644 index 1d68f1ad0b8..00000000000 Binary files a/windows/configuration/kiosk/images/genrule.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/kiosk-account-details.PNG b/windows/configuration/kiosk/images/kiosk-account-details.PNG deleted file mode 100644 index 53c31880ea3..00000000000 Binary files a/windows/configuration/kiosk/images/kiosk-account-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/kiosk-common-details.PNG b/windows/configuration/kiosk/images/kiosk-common-details.PNG deleted file mode 100644 index 5eda9b293e9..00000000000 Binary files a/windows/configuration/kiosk/images/kiosk-common-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/kiosk-fullscreen-sm.png b/windows/configuration/kiosk/images/kiosk-fullscreen-sm.png deleted file mode 100644 index b096d6837d5..00000000000 Binary files a/windows/configuration/kiosk/images/kiosk-fullscreen-sm.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/kiosk-settings.PNG b/windows/configuration/kiosk/images/kiosk-settings.PNG deleted file mode 100644 index 51a43383714..00000000000 Binary files a/windows/configuration/kiosk/images/kiosk-settings.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/kiosk-wizard.png b/windows/configuration/kiosk/images/kiosk-wizard.png deleted file mode 100644 index 160e170e5c6..00000000000 Binary files a/windows/configuration/kiosk/images/kiosk-wizard.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/lockdownapps.png b/windows/configuration/kiosk/images/lockdownapps.png deleted file mode 100644 index beb73e5370d..00000000000 Binary files a/windows/configuration/kiosk/images/lockdownapps.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/multiappassignedaccesssettings.png b/windows/configuration/kiosk/images/multiappassignedaccesssettings.png deleted file mode 100644 index 86e2e0a451e..00000000000 Binary files a/windows/configuration/kiosk/images/multiappassignedaccesssettings.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/profile-config.png b/windows/configuration/kiosk/images/profile-config.png deleted file mode 100644 index 24a4dad4abd..00000000000 Binary files a/windows/configuration/kiosk/images/profile-config.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/sample-start.png b/windows/configuration/kiosk/images/sample-start.png deleted file mode 100644 index 8ef9cc928c9..00000000000 Binary files a/windows/configuration/kiosk/images/sample-start.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/set-assignedaccess.png b/windows/configuration/kiosk/images/set-assignedaccess.png deleted file mode 100644 index c2899361eb0..00000000000 Binary files a/windows/configuration/kiosk/images/set-assignedaccess.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/set-up-device-details.PNG b/windows/configuration/kiosk/images/set-up-device-details.PNG deleted file mode 100644 index 031dac6fe62..00000000000 Binary files a/windows/configuration/kiosk/images/set-up-device-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/set-up-network-details.PNG b/windows/configuration/kiosk/images/set-up-network-details.PNG deleted file mode 100644 index 778b8497c46..00000000000 Binary files a/windows/configuration/kiosk/images/set-up-network-details.PNG and /dev/null differ diff --git a/windows/configuration/kiosk/images/slv2-oma-uri.png b/windows/configuration/kiosk/images/slv2-oma-uri.png deleted file mode 100644 index 98ee252b639..00000000000 Binary files a/windows/configuration/kiosk/images/slv2-oma-uri.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/vm-kiosk-connect.png b/windows/configuration/kiosk/images/vm-kiosk-connect.png deleted file mode 100644 index 2febd9d5730..00000000000 Binary files a/windows/configuration/kiosk/images/vm-kiosk-connect.png and /dev/null differ diff --git a/windows/configuration/kiosk/images/vm-kiosk.png b/windows/configuration/kiosk/images/vm-kiosk.png deleted file mode 100644 index 59f01c1348f..00000000000 Binary files a/windows/configuration/kiosk/images/vm-kiosk.png and /dev/null differ diff --git a/windows/configuration/kiosk/kiosk-additional-reference.md b/windows/configuration/kiosk/kiosk-additional-reference.md deleted file mode 100644 index d652bf9874b..00000000000 --- a/windows/configuration/kiosk/kiosk-additional-reference.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: More kiosk methods and reference information -description: Find more information for configuring, validating, and troubleshooting kiosk configuration. -ms.topic: reference -ms.date: 12/31/2017 ---- - -# More kiosk methods and reference information - -## In this section - -| Topic | Description | -|--|--| -| [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. | -| [Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. | -| [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. | -| [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. | -| [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. | -| [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. | -| [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. | -| [Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. | diff --git a/windows/configuration/kiosk/kiosk-mdm-bridge.md b/windows/configuration/kiosk/kiosk-mdm-bridge.md deleted file mode 100644 index 7725923709f..00000000000 --- a/windows/configuration/kiosk/kiosk-mdm-bridge.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Use MDM Bridge WMI Provider to create a Windows kiosk -description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -ms.topic: article -ms.date: 1/26/2024 -zone_pivot_groups: windows-versions-11-10 -appliesto: ---- - -# Use MDM Bridge WMI Provider to create a Windows client kiosk - -Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). - -Here's an example to set AssignedAccess configuration: - -1. [Download PsTools][PSTools] -1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -1. In the PowerShell session launched by `psexec.exe`, execute the following script: - -::: zone pivot="windows-10" - -```PowerShell -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -Add-Type -AssemblyName System.Web - -$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - -"@) - -Set-CimInstance -CimInstance $obj -``` - -::: zone-end - -::: zone pivot="windows-11" - - ```PowerShell -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -Add-Type -AssemblyName System.Web - -$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" - - - - - - - - - - - - - - - - - - - - - - - MultiAppKioskUser - - - - -"@) - -Set-CimInstance -CimInstance $obj -``` - -::: zone-end - -For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-1]. - - - -[WIN-1]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider -[PsTools]: https://download.sysinternals.com/files/PSTools.zip diff --git a/windows/configuration/kiosk/kiosk-methods.md b/windows/configuration/kiosk/kiosk-methods.md deleted file mode 100644 index 6db61a28ec1..00000000000 --- a/windows/configuration/kiosk/kiosk-methods.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Configure kiosks and digital signs on Windows 10/11 desktop editions -description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Configure kiosks and digital signs on Windows desktop editions - -Organization may want to set up special purpose devices, such as a device in the lobby that customers can use to view product catalogs, or a device displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: - -- Single-app kiosk: runs a single Universal Windows Platform (UWP) application in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart -- Multi-app kiosk: runs one or more applications from the desktop. People using the kiosk see a customized Start menu that shows only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types - -A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen. - -A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device. - -Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. - -There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. - -- **Which type of app will your kiosk run?** - Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) -- **Which type of kiosk do you need?** - If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk -- **Which edition of Windows client will the kiosk run?** - All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home -- **Which type of user account will be the kiosk account?** - The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method - ->[!IMPORTANT] ->Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. - -[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access-kiosk-mode.md)] - -## Methods for a single-app kiosk running a UWP app - -| You can use this method | For this edition | For this kiosk account type | -|--|--|--| -| [Assigned access in Settings](kiosk-single-app.md) | Pro, Ent, Edu | Local standard user | -| [Assigned access cmdlets](kiosk-single-app.md) | Pro, Ent, Edu | Local standard user | -| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | -| [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID | -| [Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | - -## Methods for a single-app kiosk running a Windows desktop application - -| You can use this method | For this edition | For this kiosk account type | -|--|--|--| -| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | -| [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID | -| [Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | - -## Methods for a multi-app kiosk - -| You can use this method | For this edition | For this kiosk account type | -|--|--|--| -| [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | -| [Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID | -| [MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID | - -## Summary of kiosk configuration methods - -| Method | App type | Account type | Single-app kiosk | Multi-app kiosk | -|--|--|--|:-:|:-:| -| [Assigned access in Settings](kiosk-single-app.md) | UWP | Local account | ✅ | -| [Assigned access cmdlets](kiosk-single-app.md) | UWP | Local account | ✅ | -| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | -| [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅ | -| Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅ | -| [Shell Launcher](kiosk-shelllauncher.md) | Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | -| [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅ | - ->[!NOTE] ->For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. diff --git a/windows/configuration/kiosk/kiosk-policies.md b/windows/configuration/kiosk/kiosk-policies.md deleted file mode 100644 index 3ab125b8920..00000000000 --- a/windows/configuration/kiosk/kiosk-policies.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: Policies enforced on kiosk devices -description: Learn about the policies enforced on a device when you configure it as a kiosk. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Policies enforced on kiosk devices - -It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. - -When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. - -## Group Policy - -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users. - -| Setting | Value | -|--|--| -| Remove access to the context menus for the task bar | Enabled | -| Clear history of recently opened documents on exit | Enabled | -| Prevent users from customizing their Start Screen | Enabled | -| Prevent users from uninstalling applications from Start | Enabled | -| Remove Run menu from Start Menu | Enabled | -| Disable showing balloon notifications as toast | Enabled | -| Do not allow pinning items in Jump Lists | Enabled | -| Do not allow pinning programs to the Taskbar | Enabled | -| Do not display or track items in Jump Lists from remote locations | Enabled | -| Remove Notifications and Action Center | Enabled | -| Lock all taskbar settings | Enabled | -| Lock the Taskbar | Enabled | -| Prevent users from adding or removing toolbars | Enabled | -| Prevent users from resizing the taskbar | Enabled | -| Remove frequent programs list from the Start Menu | Enabled | -| Remove Pinned programs from the taskbar | Enabled | -| Remove the Security and Maintenance icon | Enabled | -| Turn off all balloon notifications | Enabled | -| Turn off feature advertisement balloon notifications | Enabled | -| Turn off toast notifications | Enabled | -| Remove Task Manager | Enabled | -| Remove Change Password option in Security Options UI | Enabled | -| Remove Sign Out option in Security Options UI | Enabled | -| Remove All Programs list from the Start Menu | Enabled - Remove and disable setting | -| Prevent access to drives from My Computer | Enabled - Restrict all drives | - ->[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - -## MDM policy - -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact). - -| Setting | Value | System-wide | -|--|--|--| -| [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes | -| [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes | -| Start/HidePeopleBar | 1 - True (hide) | No | -| [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes | -| [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes | -| [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No | -| [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes | - - - diff --git a/windows/configuration/kiosk/kiosk-prepare.md b/windows/configuration/kiosk/kiosk-prepare.md deleted file mode 100644 index cf393573ada..00000000000 --- a/windows/configuration/kiosk/kiosk-prepare.md +++ /dev/null @@ -1,286 +0,0 @@ ---- -title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs -description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Prepare a device for kiosk configuration - -## Before you begin - -- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. -- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk. -- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. - - Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account. - -- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - - - [Endpoint Management at Microsoft](/mem/endpoint-manager-getting-started) - - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) - -## Configuration recommendations - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options: - - - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications` - - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. - - - **Use the registry**: - - 1. Open Registry Editor (regedit). - 1. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`. - 1. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`. - 1. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter: - - `1`: Hides all notifications except restart warnings. - - `2`: Hides all notifications, including restart warnings. - -- **Enable and schedule automatic updates**. To enable this feature, you have the following options: - - - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`. - - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. - - You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available. - -- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options: - - - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`. - - - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. - -- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor: - - 1. Open Registry Editor (regedit). - 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`. - 1. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`. - -- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting. - - Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11. - - Your options: - - - Use the **Settings** app: - 1. Open the **Settings** app. - 1. Go to **System** > **Tablet mode**. - 1. Configure the settings you want. - - - Use the **Action Center**: - 1. On your device, swipe in from the left. - 1. Select **Tablet mode**. - -- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options: - - - **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature. - - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen). - -- **Disable the hardware power button**: To enable this feature, you have the following options: - - - **Use the Settings app**: - 1. Open the **Settings** app. - 1. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**. - 1. Select **Do nothing**. - 1. **Save changes**. - - - **Use Group Policy**: Your options: - - - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**. - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. - - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy. - - To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. - - - **Use an MDM provider**: In Intune, you have some options: - - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - - - `Power\Select Power Button Action on Battery`: Set to **Take no action**. - - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**. - - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it. - - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting: - - - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. - - When looking at settings, check the supported OS for each setting to make sure it applies. - - - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage. - -- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options: - - - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**. - - - **Use MDM**: In Intune, you have the following option: - - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: - - - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**. - -- **Disable the camera**: To enable this feature, you have the following options: - - - **Use the Settings app**: - - 1. Open the **Settings** app. - 1. Go to **Privacy** > **Camera**. - 1. Select **Allow apps use my camera** > **Off**. - - - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**. - - - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options: - - - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage. - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: - - - `Camera\Allow camera`: Set to **Not allowed**. - -- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options: - - - **Use the Settings app**: - - 1. Open the **Settings** app. - 1. Go to **System** > **Notifications & actions**. - 1. In **Show notifications on the lock screen**, select **Off**. - - - **Use Group policy**: - - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options: - - - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage. - - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: - - - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. - - When looking at settings, check the supported OS for each setting to make sure it applies. - - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - - - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. - -- **Disable removable media**: To enable this feature, you have the following options: - - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. - - **Use an MDM provider**: In Intune, you have the following options: - - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage. - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: - - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. - When looking at settings, check the supported OS for each setting to make sure it applies. - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. - -## Enable logging - -Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. - -:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: - -## Automatic logon - -You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in. - -> [!NOTE] -> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. - -> [!TIP] -> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. - -How to edit the registry to have an account sign in automatically: - -1. Open Registry Editor (regedit.exe). - - > [!NOTE] - > If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users). - -1. Go to - - **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon** - -1. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - *DefaultUserName*: set value as the account that you want signed in. - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key. - -1. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. - -> [!TIP] -> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon). - -> [!NOTE] -> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed). - -## Interactions and interoperability - -The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. - -- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: - - | Key combination | Blocked behavior | - | --- | --- | - | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. | - | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. | - | Windows logo key + U | Open Ease of Access Center. | - -- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/) - -- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users. - - Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations. - - Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings). - - | Key combination | Blocked behavior for assigned access users | - | --- | --- | - | Alt + Esc | Cycle through items in the reverse order from which they were opened. | - | Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. | - | Ctrl + Esc | Open the Start screen. | - | Ctrl + F4 | Close the window. | - | Ctrl + ShiftEsc | Open Task Manager. | - | Ctrl + Tab | Switch windows within the application currently open. | - | LaunchApp1 | Open the app that is assigned to this key. | - | LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. | - | LaunchMail | Open the default mail client. | - | Windows logo key | Open the Start screen. | - - Keyboard Filter settings apply to other standard accounts. - -- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). - [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education. -- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access. - For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). -- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access. - For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). -- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead. - If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess). -- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. - -For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). - -## Testing your kiosk in a virtual machine (VM) - -Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. - -A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. - -When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session. - -:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used."::: - -To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog: - -:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session."::: diff --git a/windows/configuration/kiosk/kiosk-shelllauncher.md b/windows/configuration/kiosk/kiosk-shelllauncher.md deleted file mode 100644 index 0b6209673e6..00000000000 --- a/windows/configuration/kiosk/kiosk-shelllauncher.md +++ /dev/null @@ -1,273 +0,0 @@ ---- -title: Use Shell Launcher to create a kiosk experience -description: Learn how to configure Shell Launcher to change the default Windows shell when a user signs in to a device. -ms.topic: how-to -ms.date: 12/31/2017 ---- - -# Use Shell Launcher to create a Windows client kiosk - -Shell Launcher is a Windows feature that executes an application as the user interface, replacing the default Windows Explorer (`explorer.exe`). - ->[!NOTE] ->Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. -> ->Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to: ->- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools ->- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies ->- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies - -You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. - -Shell Launcher replaces `explorer.exe` with `customshellhost.exe`. This executable file can launch a Windows desktop application or a UWP app. - -In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements: - -- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**. -- From a custom UWP shell, you can launch secondary views and run on multiple monitors. -- The custom shell app runs in full screen, and can run other apps in full screen on user's demand. - -For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2). - -## Requirements - ->[!WARNING] -> ->- Windows 10 doesn't support setting a custom shell prior to OOBE. If you do, you won't be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -- A domain, Microsoft Entra ID, or local user account. -- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher) - -## Enable Shell Launcher feature - -To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. -1. Expand **Device Lockdown**. -1. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -1. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -## Configure a custom shell in MDM - -You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM. - -### XML for Shell Launcher configuration - -The following XML sample works for **Shell Launcher v1**: - -```xml - - - - - - - - - - - - - -``` - -For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` isn't specified, it implies the shell is Win32 app. - -```xml - - - - - - - - - - - -``` - ->[!TIP] ->In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode. - -[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) - -### Custom OMA-URI setting - -In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v1. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting determines whether you apply Shell Launcher v1 or v2.) - -The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. - -For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. - -![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) - -After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. - -## Configure a custom shell using PowerShell - -For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md). - -For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you'll want to change the script for your purposes. Save your script with the extension.ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -```powershell -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - return (enabled != 0); - } - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } -} -"@ - $type = Add-Type -TypeDefinition $source -PassThru - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - - write-host "Make sure Shell Launcher feature is enabled" - exit - } - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## default action, custom action, exit code - -Shell launcher defines four actions to handle app exits, you can customize shell launcher and use these actions based on different exit code. - -| Value | Description | -|--|--| -| 0 | Restart the shell | -| 1 | Restart the device | -| 2 | Shut down the device | -| 3 | Do nothing | - -These actions can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI. - -To configure these actions with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) - -``` xml - - - - - - - - -``` diff --git a/windows/configuration/kiosk/kiosk-single-app.md b/windows/configuration/kiosk/kiosk-single-app.md deleted file mode 100644 index 688758b856f..00000000000 --- a/windows/configuration/kiosk/kiosk-single-app.md +++ /dev/null @@ -1,330 +0,0 @@ ---- -title: Set up a single-app kiosk on Windows -description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. -ms.topic: article -ms.collection: - - tier1 -ms.date: 07/12/2023 ---- - - -# Set up a single-app kiosk - -A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. - -![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) - ->[!IMPORTANT] ->[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. -> ->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste. - -You have several options for configuring your single-app kiosk. - -- Locally, in Settings: The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. - - This option supports: - - - Windows 10 Pro, Enterprise, and Education - - Windows 11 - -- PowerShell: You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account. - - This option supports: - - - Windows 10 Pro, Enterprise, and Education - - Windows 11 - -- The kiosk wizard in Windows Configuration Designer: Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings. - - This option supports: - - - Windows 10 Pro version 1709+, Enterprise, and Education - - Windows 11 - -- Microsoft Intune or other mobile device management (MDM) provider: For devices managed by your organization, you can use MDM to set up a kiosk configuration. - - This option supports: - - - Windows 10 Pro version 1709+, Enterprise, and Education - - Windows 11 - -> [!TIP] -> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). - -> -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - -## Set up a kiosk in local Settings - -App type: - -- UWP - -OS: - -- Windows 10 Pro, Ent, Edu -- Windows 11 - -Account type: - -- Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. - -When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything. - -- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - - ![Screenshot of automatic sign-in setting.](images/auto-signin.png) - -### Windows 10 version 1809+ / Windows 11 - -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: - -Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**. - -1. Select **Set up a kiosk > Assigned access**, and then select **Get started**. - -1. Enter a name for the new account. - - >[!NOTE] - >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**. - -1. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options: - - - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) - - Which URL should be displayed when the kiosk accounts signs in - - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) - -1. Select **Close**. - -To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. - -### Windows 10 version 1803 and earlier - -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -![The Set up assigned access page in Settings.](images/kiosk-settings.png) - -To set up assigned access in PC settings: - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. -1. Select **Set up assigned access**. -1. Choose an account. -1. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). -1. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in. -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - -## Set up a kiosk using Windows PowerShell - -App type: - -- UWP - -OS: - -- Windows 10 Pro, Ent, Edu -- Windows 11 - -Account type: - -- Local standard user - -![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -Before you run the cmdlet: - -1. Sign in as administrator. -1. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. -1. Sign in as the Assigned Access user account. -1. Install the Universal Windows app that follows the assigned access/above the lock guidelines. -1. Sign out as the Assigned Access user account. -1. Sign in as administrator. - -To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId -UserName ` -- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId -UserSID ` -- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName -UserName ` -- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID ` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once. - -[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md). - -[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**). - -To remove assigned access, using PowerShell, run the following cmdlet: - -```powershell -Clear-AssignedAccess -``` - -## Set up a kiosk using the kiosk wizard in Windows Configuration Designer - -App type: - -- UWP -- Windows desktop application - -OS: - -- Windows 10 Pro version 1709+ for UWP only -- Windows 10 Ent, Edu for UWP and Windows desktop applications -- Windows 11 - -Account type: - -- Local standard user -- Active Directory - -![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. - -[Install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings: - -1. Enable device setup: - - :::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: - - If you want to enable device setup, select **Set up device**, and configure the following settings: - - - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`. - - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades). - - **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default. - - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. - -1. Set up the network: - - :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: - - If you want to enable network setup, select **Set up network**, and configure the following settings: - - - **Set up network**: To enable wireless connectivity, select **On**. - - **Network SSID**: Enter the Service Set Identifier (SSID) of the network. - - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. - -1. Enable account management: - - :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account."::: - - If you want to enable account management, select **Account Management**, and configure the following settings: - - - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: - - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. - - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. - - If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. - - You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. - - - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. - -1. Add applications: - - :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode."::: - - To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md). - - > [!WARNING] - > If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then: - > - > 1. In **Installer Path**, select any executable file. - > 1. When the **Cancel** button shows, select it. - > - > These steps let you complete the provisioning package without adding an application. - -1. Add certificates: - - :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: - - To add a certificate to the devices, select **Add certificates**, and configure the following settings: - - - **Certificate name**: Enter a name for the certificate. - - **Certificate path**: Browse and select the certificate you want to add. - -1. Configure the kiosk account, and the kiosk mode app: - - :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device."::: - - To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings: - - - **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app. - - **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`). - - **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options: - - **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required. - - **Universal Windows app**: Enter the AUMID. - -1. Configure kiosk common settings: - - :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings."::: - - To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings: - - - **Set tablet mode** - - **Customize user experience** - - **Configure power settings** - -1. Finish: - - :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: - - To complete the wizard, select **Finish**, and configure the following setting: - - - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](../provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -[Learn how to apply a provisioning package.](../provisioning-packages/provisioning-apply-package.md) - -## Set up a kiosk or digital sign using Microsoft Intune or other MDM service - -App type: - -- UWP - -OS: - -- Windows 10 Pro version 1709+, Ent, Edu -- Windows 11 - -Account type: - -- Local standard user -- Microsoft Entra ID - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - ->[!TIP] ->A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). - -To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -> [!NOTE] -> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode. - -The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). diff --git a/windows/configuration/kiosk/kiosk-validate.md b/windows/configuration/kiosk/kiosk-validate.md deleted file mode 100644 index eb3259d1853..00000000000 --- a/windows/configuration/kiosk/kiosk-validate.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Validate kiosk configuration -description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. - -ms.topic: article -ms.date: 12/31/2017 ---- - -# Validate kiosk configuration - -To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. - -Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. - -To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. - -- Start shows the layout aligned with what you defined in the multi-app configuration XML. - -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: - -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | - -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior. diff --git a/windows/configuration/kiosk/kiosk-xml.md b/windows/configuration/kiosk/kiosk-xml.md deleted file mode 100644 index dc2c2a62b29..00000000000 --- a/windows/configuration/kiosk/kiosk-xml.md +++ /dev/null @@ -1,952 +0,0 @@ ---- -title: Assigned Access configuration kiosk XML reference -description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. - -ms.topic: article -ms.date: 12/31/2017 ---- - -# Assigned Access configuration (kiosk) XML reference - -## Full XML sample - ->[!NOTE] ->Updated for Windows 10, version 1903, 1909, and 2004. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - domain\account - - - - AzureAD\john@contoso.onmicrosoft.com - - - - localaccount - - - - - - - - - - - - - - - - - - - - -``` - -## Kiosk only sample XML - -```xml - - - - - - - - - - singleappuser - - - - -``` - -## Auto Launch Sample XML - -This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - aauser1 - - - - aauser2 - - - - - -``` - -## Microsoft Edge Kiosk XML Sample - -```xml - - - - - - - - - - - - EdgeKioskUser - - - - -``` - -## Global Profile Sample XML - -Global Profile is supported on: - -- Windows 11 -- Windows 10, version 2004 and later - -Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user. - -This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - -``` - -Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - aauser - - - - - -``` - -## Folder Access sample xml - -Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+. - -IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - multi1 - - - - multi2 - - - - multi3 - - - - multi4 - - - - multi5 - - - - multi6 - - - - - -``` - -## XSD for AssignedAccess configuration XML - -> [!NOTE] -> Updated for Windows 10, version 1903 and later. - -The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -The following XML is the schema for new features introduced in Windows 10 1809 release: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -The following XML is the schema for Windows 10 version 1909+: - -```xml - - - - - - - - - - - - - - - - - - -``` - -To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. - -For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. - -```xml - - - - - - -``` diff --git a/windows/configuration/kiosk/lock-down-windows-10-applocker.md b/windows/configuration/kiosk/lock-down-windows-10-applocker.md deleted file mode 100644 index 2781e1b6400..00000000000 --- a/windows/configuration/kiosk/lock-down-windows-10-applocker.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps -description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. -appliesto: -- ✅ Windows 10 -ms.date: 07/30/2018 -ms.topic: article ---- - -# Use AppLocker to create a Windows 10 kiosk that runs multiple apps - -Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. - ->[!NOTE] ->For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md). - -You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device. - -AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref). - -This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. - -![install create lockdown customize.](images/lockdownapps.png) - -## Install apps - -First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. - -## Use AppLocker to set rules for apps - -After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else. - -1. Run Local Security Policy (secpol.msc) as an administrator. -1. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - - ![configure rule enforcement.](images/apprule.png) - -1. Check **Configured** under **Executable rules**, and then click **OK**. -1. Right-click **Executable Rules** and then click **Automatically generate rules**. - - ![automatically generate rules.](images/genrule.png) - -1. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. -1. Type a name to identify this set of rules, and then click **Next**. -1. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules. -1. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps. -1. Read the message and click **Yes**. - - ![default rules warning.](images/appwarning.png) - -1. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. -1. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**. -1. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run: - - ``` syntax - sc config appidsvc start=auto - ``` - -1. Restart the device. - -## Other settings to lock down - -In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device: - -- Remove **All apps**. - - Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**. - -- Hide **Ease of access** feature on the logon screen. - - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. - -- Disable the hardware power button. - - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. - -- Disable the camera. - - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. - -- Turn off app notifications on the lock screen. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. - -- Disable removable media. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. - - **Note** - - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal). - -## Customize Start screen layout for the device (recommended) - -Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](../start/windows-10-start-layout-options-and-policies.md). diff --git a/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md b/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md deleted file mode 100644 index 43646ca390a..00000000000 --- a/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md +++ /dev/null @@ -1,660 +0,0 @@ ---- -title: Set up a multi-app kiosk on Windows 10 -description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. -ms.topic: how-to -ms.date: 11/08/2023 ---- - -# Set up a multi-app kiosk on Windows 10 devices - -> [!NOTE] -> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10. - -A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. - -The following table lists changes to multi-app kiosk in recent updates. - -| New features and improvements | In update | -| --- | ---| -| - Configure [a single-app kiosk profile](#profile) in your XML file

    - Assign [group accounts to a config profile](#config-for-group-accounts)

    - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | -| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

    - [Automatically launch an app](#allowedapps) when the user signs in

    - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

    **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | - -> [!WARNING] -> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. - -You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). - -> [!TIP] -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - - - -## Configure a kiosk in Microsoft Intune - -To configure a kiosk in Microsoft Intune, see: - -- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings) -- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows) - - - -## Configure a kiosk using a provisioning package - -Process: - -1. [Create XML file](#create-xml-file) -1. [Add XML file to provisioning package](#add-xml) -1. [Apply provisioning package to device](#apply-ppkg) - -Watch how to use a provisioning package to configure a multi-app kiosk. - -> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] - -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). - -### Prerequisites - -- Windows Configuration Designer (Windows 10, version 1709 or later) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later - -> [!NOTE] -> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. - -### Create XML file - -Let's start by looking at the basic structure of the XML file. - -- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. - -- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. - -- Multiple config sections can be associated to the same profile. - -- A profile has no effect if it's not associated to a config section. - - ![profile = app and config = account.](images/profile-config.png) - -You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) - -```xml - - - - - - - - - - - - - - - - - - -``` - -#### Profile - -There are two types of profiles that you can specify in the XML: - -- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. - -A lockdown profile section in the XML has the following entries: - -- [**Id**](#id) - -- [**AllowedApps**](#allowedapps) - -- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) - -- [**StartLayout**](#startlayout) - -- [**Taskbar**](#taskbar) - -A kiosk profile in the XML has the following entries: - -- [**Id**](#id) - -- [**KioskModeApp**](#kioskmodeapp) - -##### Id - -The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. - -```xml - - - -``` - -##### AllowedApps - -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - -- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout). -- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`. -- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`. -- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). - -When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: - -1. Default rule is to allow all users to launch the signed package apps. -1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. - - > [!NOTE] - > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. - > - > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. - -Here are the predefined assigned access AppLocker rules for **desktop apps**: - -1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. -1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration. -1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. - -The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. - - - -```xml - - - - - - - - - - - -``` - -##### FileExplorerNamespaceRestrictions - -Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune. - -The following example shows how to allow user access to the Downloads folder in the common file dialog box. - -> [!TIP] -> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu. - -```xml - - - - - - ... - - - - - - - ... - - - - - -``` - -`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all. - -> [!NOTE] -> - `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace `https://schemas.microsoft.com/AssignedAccess/201810/config`. -> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`. - -- When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser. -- When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. -- When `AllowRemovableDrives` is used, user will be to access removable drives. -- When `NoRestriction` is used, no restriction will be applied to the dialog. -- `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time. - -##### StartLayout - -After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. - -The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](../start/customize-and-export-start-layout.md). - -A few things to note here: - -- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. -- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. -- There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). - -The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: - -```xml - - - - - - - - - - - - - - - - - - - - - - ]]> - -``` - -> [!NOTE] -> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. - -![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) - -##### Taskbar - -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. - -The following example exposes the taskbar to the end user: - -```xml - -``` - -The following example hides the taskbar: - -```xml - -``` - -> [!NOTE] -> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. - -##### KioskModeApp - -**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. - -```xml - -``` - -> [!IMPORTANT] -> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. - -#### Configs - -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. - -The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. - -You can assign: - -- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) -- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts) -- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). - -> [!NOTE] -> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. - -##### Config for AutoLogon Account - -When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. - -The following example shows how to specify an account to sign in automatically. - -```xml - - - - - - -``` - -Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". - -```xml - - - - - - -``` - -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) - -> [!IMPORTANT] -> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). - -##### Config for individual accounts - -Individual accounts are specified using ``. - -- Local account can be entered as `machinename\account` or `.\account` or just `account`. -- Domain account should be entered as `domain\account`. -- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` - -> [!WARNING] -> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. - -> [!NOTE] -> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. - -```xml - - - MultiAppKioskUser - - - -``` - -##### Config for group accounts - -Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. - -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. - - ```xml - - - - - ``` - -- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. - - ```xml - - - - - ``` - -- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. - - ```xml - - - - - ``` - - > [!NOTE] - > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. - - - -#### [Preview] Global profile - -Global profile is available in Windows 1. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios. - -Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user. - -> [!NOTE] -> 1. `GlobalProfile` can only be a multi-app profile. -> 1. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML. -> 1. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - -``` - -### Add XML file to provisioning package - -Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). - -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md). - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`. - -1. Choose **Advanced provisioning**. - -1. Name your project, and select **Next**. - -1. Choose **All Windows desktop editions** and select **Next**. - -1. On **New project**, select **Finish**. The workspace for your package opens. - -1. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. - -1. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created. - - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) - -1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. - -1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. - -1. On the **File** menu, select **Save.** - -1. On the **Export** menu, select **Provisioning package**. - -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. - -1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - - Optionally, you can select **Browse** to change the default output location. - -1. Select **Next**. - -1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. - -1. Copy the provisioning package to the root directory of a USB drive. - - - -### Apply provisioning package to device - -Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](../provisioning-packages/provisioning-apply-package.md). - -> [!NOTE] -> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. - -### Use MDM to deploy the multi-app configuration - -Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. - -If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely. - -The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Considerations for Windows Mixed Reality immersive headsets - -With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. - -To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps): - -```xml - - - - -``` - -These apps are in addition to any mixed reality apps that you allow. - -**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail. - -After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers. - -There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. - -## Policies set by multi-app kiosk configuration - -It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. - -When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device. - -### Group policy - -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users. - -| Setting | Value | -| --- | --- | -Remove access to the context menus for the task bar | Enabled -Clear history of recently opened documents on exit | Enabled -Prevent users from customizing their Start Screen | Enabled -Prevent users from uninstalling applications from Start | Enabled -Remove All Programs list from the Start menu | Enabled -Remove Run menu from Start Menu | Enabled -Disable showing balloon notifications as toast | Enabled -Do not allow pinning items in Jump Lists | Enabled -Do not allow pinning programs to the Taskbar | Enabled -Do not display or track items in Jump Lists from remote locations | Enabled -Remove Notifications and Action Center | Enabled -Lock all taskbar settings | Enabled -Lock the Taskbar | Enabled -Prevent users from adding or removing toolbars | Enabled -Prevent users from resizing the taskbar | Enabled -Remove frequent programs list from the Start Menu | Enabled -Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled -Remove the Security and Maintenance icon | Enabled -Turn off all balloon notifications | Enabled -Turn off feature advertisement balloon notifications | Enabled -Turn off toast notifications | Enabled -Remove Task Manager | Enabled -Remove Change Password option in Security Options UI | Enabled -Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled - Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers - -> [!NOTE] -> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - -### MDM policy - -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system. - -Setting | Value | System-wide - --- | --- | --- -[Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes -[Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No -[Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No -[Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes -[WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes -[Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No -[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes - - - -## Provision .lnk files using Windows Configuration Designer - -First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` - -Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. - -```PowerShell -msiexec /I ".msi" /qn /norestart -copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk" -``` - -In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**: - -- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file. - - > [!IMPORTANT] - > Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk. - -- Under **CommandLine**, enter `cmd /c *FileName*.bat`. - -## Other methods - -Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). diff --git a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md deleted file mode 100644 index 705b8f15174..00000000000 --- a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md +++ /dev/null @@ -1,404 +0,0 @@ ---- -title: Set up a multi-app kiosk on Windows 11 -description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps. -ms.date: 05/12/2023 - -ms.topic: how-to ---- -# Set up a multi-app kiosk on Windows 11 devices - -> [!NOTE] -> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. - -An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk. - -> [!WARNING] -> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. - -> [!TIP] -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - -## Configure a Multi-App Kiosk - -See the table below for the different methods to configure a multi-app kiosk in Windows 11. - -|Configuration Method|Availability| -|--------------------|------------| -|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023| - - - -> [!NOTE] -> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below. - -## Create the XML file - -Let's start by looking at the basic structure of the XML file. - -- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. - -- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. - -- Multiple config sections can be associated to the same profile. - -- A profile has no effect if it's not associated to a config section. - -You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. - -> [!NOTE] -> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running. - -```xml - - - - - - - - - - - - - - - - - - -``` -#### Profile - -There are two types of profiles that you can specify in the XML: - -- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. - -A lockdown profile section in the XML has the following entries: - -- [**Id**](#id) -- [**AllowedApps**](#allowedapps) -- [**StartPins**](#startpins) -- [**Taskbar**](#taskbar) - -A kiosk profile in the XML has the following entries: - -- [**Id**](#id) -- [**KioskModeApp**](#kioskmodeapp) - -##### Id - -The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. - -```xml - - - -``` - -##### AllowedApps - -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - -- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#create-the-xml-file). -- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`. -- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`. -- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). - -When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: - -1. Default rule is to allow all users to launch the signed package apps. -1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. - - > [!NOTE] - > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. - > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. - -Here are the predefined assigned access AppLocker rules for **desktop apps**: - -1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. -1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration. -1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. - -The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. - - - -```xml - - - - - - - - - -``` - -##### StartPins - -After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](../start/customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below. - -Add your pinnedList JSON into the StartPins tag in your XML file. - -```xml - - - -``` - -> [!NOTE] -> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. - -##### Taskbar - -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. - -The following example exposes the taskbar to the end user: - -```xml - -``` - -The following example hides the taskbar: - -```xml - -``` - -> [!NOTE] -> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. - -##### KioskModeApp - -**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. - -```xml - -``` - -> [!IMPORTANT] -> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. - -#### Configs - -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. - -The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. - -You can assign: - -- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) -- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts) -- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). - -> [!NOTE] -> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. - -##### Config for AutoLogon Account - -When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. - -The following example shows how to specify an account to sign in automatically. - -```xml - - - - - - -``` - -Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". - -```xml - - - - - - -``` - -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). - -##### Config for individual accounts - -Individual accounts are specified using ``. - -- Local account can be entered as `machinename\account` or `.\account` or just `account`. -- Domain account should be entered as `domain\account`. -- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided *as is*, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` - -> [!WARNING] -> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. - -> [!NOTE] -> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. - -```xml - - - MultiAppKioskUser - - - -``` - -##### Config for group accounts - -Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. - -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. - - ```xml - - - - - ``` - -- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. - - ```xml - - - - - ``` - -- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. - - ```xml - - - - - ``` - - > [!NOTE] - > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. - -## Configure a kiosk using WMI Bridge - -Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. - -Here's an example of how to set AssignedAccess configuration: - -1. Download the [psexec tool](/sysinternals/downloads/psexec). - -1. Using an elevated command prompt, run `psexec.exe -i -s cmd.exe`. -1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step. - -```powershell -$eventLogFilterHashTable = @{ - ProviderName = "Microsoft-Windows-AssignedAccess"; - StartTime = Get-Date -Millisecond 0 -} - -$namespaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@" - - - -"@) - -$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue -if($cimSetError) { - Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" - Write-Error -ErrorRecord $cimSetError[0] - - $timeout = New-TimeSpan -Seconds 30 - $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() - do{ - $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore - } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available - - if($events.Count) { - $events | ForEach-Object { - - Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" - - } - } else { - Write-Warning "Timed-out attempting to retrieve event logs..." - } - - Exit 1 -} - -Write-Output "Successfully applied Assigned Access configuration" -``` - -## Sample Assigned Access XML - -This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11. - -```xml - - - - - - - - - - - - - - - - - - - - - - - MultiAppKioskUser - - - - -``` diff --git a/windows/configuration/kiosk/lockdown-features-windows-10.md b/windows/configuration/kiosk/lockdown-features-windows-10.md deleted file mode 100644 index 592bf95d71d..00000000000 --- a/windows/configuration/kiosk/lockdown-features-windows-10.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Lockdown features from Windows Embedded 8.1 Industry -description: Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.topic: article -appliesto: -- ✅ Windows 10 -ms.date: 12/31/2017 ---- - -# Lockdown features from Windows Embedded 8.1 Industry - -Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 1. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. - -|Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes| -|--- |--- |--- | -|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.| -|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.| -|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 151. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.| -|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 1. It's now configurable in Windows ICD under the **SMISettings** category.
    Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.| -|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.| -|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 1. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.
  • Control over which processes are able to run will now be provided by AppLocker.
  • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.| -|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of noncritical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.
    Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**
    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.| -|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.| -|[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

    Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**
    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.| -|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 1. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and noncritical system notifications, but it also applied some of these limitations to other accounts on the device.
    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.| -|[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.| -|[Custom sign in](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign out, and shut down|[Embedded sign in](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| -|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| diff --git a/windows/configuration/kiosk/setup-digital-signage.md b/windows/configuration/kiosk/setup-digital-signage.md deleted file mode 100644 index f159299653b..00000000000 --- a/windows/configuration/kiosk/setup-digital-signage.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Set up digital signs on Windows -description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). -ms.date: 09/20/2021 -ms.topic: article ---- - -# Set up digital signs - -Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. - -For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode) or the Kiosk Browser app, and configure it to show your online content. - ->[!TIP] ->Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). - -Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. - ->[!NOTE] ->If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). - -This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). - -1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) -1. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) -1. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) -1. Open Windows Configuration Designer and select **Provision kiosk devices**. -1. Enter a friendly name for the project, and select **Finish**. -1. On **Set up device**, select **Disabled**, and select **Next**. -1. On **Set up network**, enable network setup: - - Toggle **On** wireless network connectivity. - - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. -1. On **Account management**, select **Disabled**, and select **Next**. -1. On **Add applications**, select **Add an application**: - - For **Application name**, enter `Kiosk Browser`. - - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. - - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. - - The **Package family name** is populated automatically. - - Select **Next**. -1. On **Add certificates**, select **Next**. -1. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage: - - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - - For **App type**, select **Universal Windows App**. - - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. -1. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. -1. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu: - - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. - - In **BlockedUrl**, enter `*`. - - In **DefaultUrl**, enter `https://www.contoso.com/menu`. - - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. - - >[!TIP] - >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). - -1. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. -1. On the **Export** menu, select **Provisioning package**. -1. Change the **Owner** to **IT Admin**, and select **Next**. -1. On **Select security details for the provisioning package**, select **Next**. -1. On **Select where to save the provisioning package**, select **Next**. -1. On **Build the provisioning package**, select **Build**. -1. On the **All done!** screen, click the **Output location**. -1. Copy the .ppkg file to a USB drive. -1. Attach the USB drive to the device that you want to use for your digital sign. -1. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml deleted file mode 100644 index 3362daaabd4..00000000000 --- a/windows/configuration/kiosk/toc.yml +++ /dev/null @@ -1,37 +0,0 @@ -items: -- name: Overview - href: kiosk-methods.md -- name: Prepare a device for kiosk configuration - href: kiosk-prepare.md -- name: Set up digital signs - href: setup-digital-signage.md -- name: Set up a single-app kiosk - href: kiosk-single-app.md -- name: Set up a multi-app kiosk for Windows 10 - href: lock-down-windows-10-to-specific-apps.md -- name: Set up a multi-app kiosk for Windows 11 - href: lock-down-windows-11-to-specific-apps.md -- name: Kiosk reference information - items: - - name: More kiosk methods and reference information - href: kiosk-additional-reference.md - - name: Find the Application User Model ID of an installed app - href: find-the-application-user-model-id-of-an-installed-app.md - - name: Validate your kiosk configuration - href: kiosk-validate.md - - name: Guidelines for choosing an app for assigned access (kiosk mode) - href: guidelines-for-assigned-access-app.md - - name: Policies enforced on kiosk devices - href: kiosk-policies.md - - name: Assigned access XML reference - href: kiosk-xml.md - - name: Use AppLocker to create a Windows 10 kiosk - href: lock-down-windows-10-applocker.md - - name: Use Shell Launcher to create a Windows client kiosk - href: kiosk-shelllauncher.md - - name: Use MDM Bridge WMI Provider to create a Windows client kiosk - href: kiosk-mdm-bridge.md - - name: Troubleshoot kiosk mode issues - href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting -- name: Lockdown features from Windows Embedded 8.1 Industry - href: lockdown-features-windows-10.md \ No newline at end of file diff --git a/windows/configuration/lock-screen/images/funfacts.png b/windows/configuration/lock-screen/images/funfacts.png deleted file mode 100644 index 71355ec3708..00000000000 Binary files a/windows/configuration/lock-screen/images/funfacts.png and /dev/null differ diff --git a/windows/configuration/lock-screen/images/lockscreen.png b/windows/configuration/lock-screen/images/lockscreen.png deleted file mode 100644 index 68c64e15ec3..00000000000 Binary files a/windows/configuration/lock-screen/images/lockscreen.png and /dev/null differ diff --git a/windows/configuration/lock-screen/images/lockscreenpolicy.png b/windows/configuration/lock-screen/images/lockscreenpolicy.png deleted file mode 100644 index 30b6a7ae9d1..00000000000 Binary files a/windows/configuration/lock-screen/images/lockscreenpolicy.png and /dev/null differ diff --git a/windows/configuration/lock-screen/images/spotlight.png b/windows/configuration/lock-screen/images/spotlight.png deleted file mode 100644 index 515269740b8..00000000000 Binary files a/windows/configuration/lock-screen/images/spotlight.png and /dev/null differ diff --git a/windows/configuration/lock-screen/windows-spotlight.md b/windows/configuration/lock-screen/windows-spotlight.md deleted file mode 100644 index faf68d1afac..00000000000 --- a/windows/configuration/lock-screen/windows-spotlight.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Configure Windows Spotlight -description: Learn how to configure Windows Spotlight, a Windows lock screen feature that displays different images. -ms.topic: how-to -ms.date: 04/30/2018 ---- - -# Configure Windows Spotlight - -Windows Spotlight is a Windows feature that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - ->[!NOTE] ->You can use the [Personalization CSP](/windows/client-management/mdm/personalization-csp) settings to set lock screen and desktop background images. - -## What does Windows Spotlight include? - -- **Background image** - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. More images are downloaded on ongoing basis. - ![lock screen image.](images/lockscreen.png) -- **Feature suggestions, fun facts, tips** - The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services. - ![fun facts.](images/funfacts.png) - -## How do you turn off Windows Spotlight locally? - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background.](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - -Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. - ->[!NOTE] ->These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. - -| Group Policy | MDM | Description | Applies to | -|--|--|--|--| -| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | -| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | -| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | -| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | -| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | -| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience that helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -| **Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | - - In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image** (Windows 10 Enterprise and Education). - - >[!TIP] - >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image). - -![lockscreen policy details.](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. - -## Resolution for custom lock screen image - -A concern with custom lock screen images is how they'll appear on different screen sizes and resolutions. - -A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen - -Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios. - -The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio. diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index 7efc313edb5..dc6121f2d9f 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -1,8 +1,8 @@ --- title: Diagnose Provisioning Packages description: Diagnose general failures in provisioning. -ms.topic: article -ms.date: 01/18/2023 +ms.topic: troubleshooting +ms.date: 07/09/2024 --- # Diagnose Provisioning Packages @@ -11,22 +11,20 @@ This article helps diagnose common issues with applying provisioning packages. Y ## Unable to apply power settings -When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. +When you apply a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings). - - ## Unable to perform bulk enrollment in Microsoft Entra ID -When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). +When you [enroll devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). > [!NOTE] > When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected. ## Unable to apply a multivariant provisioning package -When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected. +When you apply a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may be improperly authored conditions that didn't evaluate as expected. Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied. diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index e88f25ff702..9c82d0c44c1 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,13 +1,13 @@ --- title: Configuration service providers for IT pros description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. -ms.topic: article -ms.date: 12/31/2017 +ms.topic: how-to +ms.date: 07/09/2024 --- # Configuration service providers for IT pros -This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference). +This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Configuration Service Provider reference](/windows/client-management/mdm/configuration-service-provider-reference). ## What is a CSP? @@ -15,19 +15,15 @@ In the client operating system, a CSP is the interface between configuration set On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client. -Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. - -CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). - -:::image type="content" source="images/policytocsp.png" alt-text="How intune maps to CSP"::: +Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. -### Synchronization Markup Language (SyncML) +## Synchronization Markup Language (SyncML) The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations. -### The WMI-to-CSP Bridge +## The WMI-to-CSP Bridge The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. @@ -37,138 +33,20 @@ The WMI-to-CSP Bridge is a component allowing configuration of Windows client CS Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. -In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings. +In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](/windows/client-management/mdm/configuration-service-provider-reference) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings. -### CSPs in Windows Configuration Designer +## CSPs in Windows Configuration Designer You can use Windows Configuration Designer to create [provisioning packages](provisioning-packages.md) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs. -Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. +Many settings in Windows Configuration Designer display documentation for that setting in the center pane, and include a reference to the CSP if the setting uses one. :::image type="content" source="images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD."::: [Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. -### CSPs in MDM - -Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). - -When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information. - -### CSPs in Lockdown XML +## CSPs in MDM -## How do you use the CSP documentation? +Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and can't find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). -All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). - -The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP. - -:::image type="content" source="images/csptable.png" alt-text="The CSP reference shows the supported Windows editions"::: - -The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. - -The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices' root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path. - -The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. - -:::image type="content" source="images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree."::: - -The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). - -```XML -./Vendor/MSFT/AssignedAccess/KioskModeApp -``` - -When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. - -:::image type="content" source="images/csp-placeholder.png" alt-text="The placeholder in the CSP tree"::: - -After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. - -For example, in the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. - -The documentation for most CSPs will also include an XML example. - -## CSP examples - -CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful. - -- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) - - The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. - - Some of the settings available in the Policy CSP include the following: - - - **Accounts**, such as whether a non-Microsoft account can be added to the device. - - **Application management**, such as whether only Microsoft Store apps are allowed. - - **Bluetooth**, such as the services allowed to use it. - - **Browser**, such as restricting InPrivate browsing. - - **Connectivity**, such as whether the device can be connected to a computer by USB. - - **Defender** (for desktop only), such as day and time to scan. - - **Device lock**, such as the type of PIN or password required to unlock the device. - - **Experience**, such as allowing Cortana. - - **Security**, such as whether provisioning packages are allowed. - - **Settings**, such as enabling the user to change VPN settings. - - **Start**, such as applying a standard Start layout. - - **System**, such as allowing the user to reset the device. - - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft. - - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - - **WiFi**, such as whether Internet sharing is enabled. - -Here is a list of CSPs supported on Windows 10 Enterprise: - -- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) -- [Application CSP](/windows/client-management/mdm/application-csp) -- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) -- [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) -- [Bootstrap CSP](/windows/client-management/mdm/bootstrap-csp) -- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) -- [CellularSettings CSP](/windows/client-management/mdm/cellularsettings-csp) -- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) -- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) -- [CM\_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) -- [CM\_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) -- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) -- [Defender CSP](/windows/client-management/mdm/defender-csp) -- [DevDetail CSP](/windows/client-management/mdm/devdetail-csp) -- [DeviceInstanceService CSP](/windows/client-management/mdm/deviceinstanceservice-csp) -- [DeviceLock CSP](/windows/client-management/mdm/devicelock-csp) -- [DeviceStatus CSP](/windows/client-management/mdm/devicestatus-csp) -- [DevInfo CSP](/windows/client-management/mdm/devinfo-csp) -- [DiagnosticLog CSP](/windows/client-management/mdm/diagnosticlog-csp) -- [DMAcc CSP](/windows/client-management/mdm/dmacc-csp) -- [DMClient CSP](/windows/client-management/mdm/dmclient-csp) -- [Email2 CSP](/windows/client-management/mdm/email2-csp) -- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) -- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp) -- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) -- [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp) -- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) -- [FileSystem CSP](/windows/client-management/mdm/filesystem-csp) -- [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp) -- [HotSpot CSP](/windows/client-management/mdm/hotspot-csp) -- [Maps CSP](/windows/client-management/mdm/maps-csp) -- [NAP CSP](/windows/client-management/mdm/filesystem-csp) -- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) -- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) -- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) -- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) -- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) -- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) -- [Registry CSP](/windows/client-management/mdm/registry-csp) -- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) -- [RemoteWipe CSP](/windows/client-management/mdm/remotewipe-csp) -- [Reporting CSP](/windows/client-management/mdm/reporting-csp) -- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) -- [SecurityPolicy CSP](/windows/client-management/mdm/securitypolicy-csp) -- [Storage CSP](/windows/client-management/mdm/storage-csp) -- [SUPL CSP](/windows/client-management/mdm/supl-csp) -- [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) -- [Update CSP](/windows/client-management/mdm/update-csp) -- [VPN CSP](/windows/client-management/mdm/vpn-csp) -- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) -- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) -- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) -- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) +When a CSP is available but isn't explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information. diff --git a/windows/configuration/provisioning-packages/images/ICD.png b/windows/configuration/provisioning-packages/images/ICD.png index 9cfcb845dfa..c5525201f19 100644 Binary files a/windows/configuration/provisioning-packages/images/ICD.png and b/windows/configuration/provisioning-packages/images/ICD.png differ diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 7d869e903f4..80c1a38048c 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,63 +1,47 @@ --- -title: Provision PCs with common settings -description: Create a provisioning package to apply common settings to a PC running Windows 10. -ms.topic: article -ms.date: 12/31/2017 +title: Create a provisioning package (desktop wizard) +description: Create a provisioning package to apply common settings to a PC running Windows. +ms.topic: how-to +ms.date: 07/09/2024 --- -# Provision PCs with common settings for initial deployment (desktop wizard) +# Create a provisioning package (desktop wizard) -This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. +This article explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. +The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices: -## Advantages +- [Instructions for the desktop wizard](#start-a-new-project) +- [Instructions for the kiosk wizard](../assigned-access/overview.md) +- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard) +- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) -- You can configure new devices without reimaging -- Works on desktop devices -- No network connectivity required -- Simple to apply - -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) - -## What does the desktop wizard do? - -The desktop wizard helps you configure the following settings in a provisioning package: +In this example, we use the **Provision desktop devices** option which helps you configure the following settings in a provisioning package: - Set device name - Upgrade product edition - Configure the device for shared use -- Remove pre-installed software +- Remove preinstalled software - Configure Wi-Fi network - Enroll device in Active Directory or Microsoft Entra ID - Create local administrator account - Add applications and certificates ->[!WARNING] ->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. - -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -> [!TIP] -> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. -> -> :::image type="content" source="images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor."::: - -## Create the provisioning package +> [IMPORTANT] +> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) +## Start a new project -1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. -1. Click **Provision desktop devices**. +1. Select **Provision desktop devices**. :::image type="content" source="images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options."::: -1. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. +1. Name your project and select **Finish**. The pages for desktop provisioning walk you through the following steps. :::image type="content" source="images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning."::: - > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. @@ -74,6 +58,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios. - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. + > [!NOTE] + > To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems. + 1. Set up the network: :::image type="content" source="images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: @@ -81,7 +68,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L If you want to enable network setup, select **Set up network**, and configure the following settings: - **Set up network**: To enable wireless connectivity, select **On**. - - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network. + - **Network SSID**: Enter the Service Set Identifier (SSID) of the network. - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. 1. Enable account management: @@ -91,10 +78,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L If you want to enable account management, select **Account Management**, and configure the following settings: - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: + - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. - If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. + If you select this option, enter a friendly name for the bulk token retrieved using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. @@ -123,6 +111,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. -After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. +After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +## Next steps - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) +> [!div class="nextstepaction"] +> Learn more about applying a provisioning package: +> +> [Apply a provisioning package](provisioning-apply-package.md) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 99f20c85aaf..3ffeaa9b73a 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -1,22 +1,22 @@ --- title: Provision PCs with apps description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. -ms.topic: article -ms.date: 12/31/2017 +ms.topic: how-to +ms.date: 07/09/2024 --- # Provision PCs with apps You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. -When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). +When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#add-a-windows-desktop-application-using-advanced-editor). ->[!IMPORTANT] ->If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](/intune/apps-add-office365) +> [!IMPORTANT] +> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/intune/apps-add-office365) ## Settings for UWP apps -- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app. +- **License Path**: Specify the license file if it's an app from the Microsoft Store. This is optional if you have a certificate for the app. - **Package family name**: Specify the package family name if you don't specify a license. This field will be autopopulated after you specify a license. - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app @@ -24,32 +24,23 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate ### MSI installer -> [!NOTE] -> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options). - - **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE - - **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install - - **Restart required**: Optionally, specify if you want to reboot after a successful install of this app +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#extract-from-a-cab-example). -- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). +> [!NOTE] +> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options). ### Exe or other installer - **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags - -- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. - +- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that isn't listed is interpreted as failure. The text boxes are space delimited. - **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install - - **Restart required**: Optionally, specify if you want to reboot after a successful install of this app +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#extract-from-a-cab-example). -- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). - - - -## Add a Windows desktop application using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. @@ -61,50 +52,32 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate ![enter settings for first app.](images/wcd-app-commands.png) -## Add a universal app to your package +## Add a universal app to your package using advanced editor -Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or non-Microsoft apps. This procedure assumes you're distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. - 1. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. - 1. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). - 1. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - 1. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. - - - - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**. - - 1. In the **Available customizations** pane, select the **LicenseProductId** that you just added. - 1. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file. [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) -> [!NOTE] +> [!IMPORTANT] > Removing a provisioning package will not remove any apps installed by device context in that provisioning package. - - ## Add a certificate to your package 1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 1. Enter a **CertificateName** and then select **Add**. - 1. Enter the **CertificatePassword**. - 1. For **CertificatePath**, browse and select the certificate to be used. - 1. Set **ExportCertificate** to **False**. - 1. For **KeyLocation**, select **Software only**. ## Add other settings to your package @@ -113,15 +86,15 @@ For details about the settings you can customize in provisioning packages, see [ ## Build your package -1. When you are done configuring the provisioning package, on the **File** menu, select **Save**. +1. After you configure the provisioning package, on the **File** menu, select **Save**. 1. Read the warning that project files may contain sensitive information, and select **OK**. - When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed. + When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files aren't encrypted. Store the project files in a secure location, and delete the project files when they're no longer needed. 1. On the **Export** menu, select **Provisioning package**. -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +1. Change **Owner** to **IT Admin**, which sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** 1. Set a value for **Package Version**. @@ -130,51 +103,33 @@ For details about the settings you can customize in provisioning packages, see [ 1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - + - **Enable package encryption** - If you select this option, an autogenerated password is shown on the screen. - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package. > [!TIP] > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently. -1. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

    - Optionally, you can select **Browse** to change the default output location. +1. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. Optionally, you can select **Browse** to change the default output location. 1. Select **Next**. -1. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

    - If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. +1. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

    - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. +1. If your build fails, an error message shows up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory is shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. - - - - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**. + - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. 1. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - Shared network folder - - SharePoint site - - Removable media (USB/SD) - - Email -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +## Next steps + +> [!div class="nextstepaction"] +> Learn more about applying a provisioning package: +> +> [Apply a provisioning package](provisioning-apply-package.md) diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index d4e5be28f7b..a5e44cee63b 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,8 +1,8 @@ --- title: Apply a provisioning package description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). -ms.topic: article -ms.date: 12/31/2017 +ms.topic: how-to +ms.date: 07/09/2024 --- # Apply a provisioning package @@ -13,22 +13,20 @@ Provisioning packages can be applied to a device during initial setup (out-of-bo > > - Applying a provisioning package to a desktop device requires administrator privileges on the device. > - You can interrupt a long-running provisioning process by pressing ESC. - -> [!TIP] -> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. +> - In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. ## During initial setup To apply a provisioning package from a USB drive during initial setup: -1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**. +1. Start with a device on the initial setup screen. If the device goes past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**. :::image type="content" source="images/oobe.png" alt-text="The first screen when setting up a new PC."::: 1. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. - If there's only one provisioning package on the USB drive, the provisioning package is applied. See step 5. - - If there's more than one provisioning package on the USB drive, Windows setup recognizes the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**. + - If there's more than one provisioning package on the USB drive, Windows setup recognizes the drive and asks how you want to provision the device. Select **Install provisioning package** and select **Next**. :::image type="content" source="images/provisioning-oobe-choice.png" alt-text="What would you like to do?"::: @@ -36,11 +34,11 @@ To apply a provisioning package from a USB drive during initial setup: :::image type="content" source="images/provisioning-oobe-choose-package.png" alt-text="Choose a package."::: -1. The selected provisioning package will install and apply to the device. +1. The selected provisioning package is applied to the device. :::image type="content" source="images/provisioning-oobe-installing.png" alt-text="Setting up your PC."::: -1. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device. +1. Wait for the device to load and begin applying the provisioning package. After you see "You can remove your removable media now!" you can remove your USB drive. Windows continues to provision the device. ## After initial setup @@ -60,7 +58,7 @@ Provisioning packages can be applied after initial setup through Windows setting :::image type="content" source="images/provisioning-runtime-add-package.png" alt-text="Select and add a package."::: -1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you're installing before accepting the UAC prompt. Select **Yes**. +1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you're installing before accepting the User Account Control (UAC) prompt. Select **Yes**. :::image type="content" source="images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: @@ -83,16 +81,3 @@ To apply a provisioning package directly, such as from a USB drive, folder, netw 1. The provisioning runtime asks if the package is from a source you trust. Verify that you're applying the correct package and that it's trusted. Select **Yes, add it**. :::image type="content" source="images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: - -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 9ebacde2fb2..5ff3a5cf1dd 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -1,20 +1,17 @@ --- -title: Windows Configuration Designer command-line interface -description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. -ms.topic: article -ms.date: 12/31/2017 +title: Windows Configuration Designer command line interface +description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command line interface for Windows devices. +ms.topic: how-to +ms.date: 07/09/2024 --- -# Windows Configuration Designer command-line interface (reference) +# Windows Configuration Designer command line interface -You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages. +You can use the Windows Configuration Designer command line interface (CLI) to automate the building of provisioning packages. - IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. - - You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). - - ## Syntax ``` cmd @@ -29,25 +26,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | Switch | Required? | Arguments | | --- | --- | --- | | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. | -| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | -| /StoreFile | No


    See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.


    **Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | +| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package is saved. | +| /StoreFile | No


    See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions is loaded by Windows Configuration Designer.


    **Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | | /Variables | No | Specifies a semicolon separated `` and `` macro pair. The format for the argument must be `=`. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.


    Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. | -| Overwrite | No | Denotes whether to overwrite an existing provisioning package.


    Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | +| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.

    Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. | +| Overwrite | No | Denotes whether to overwrite an existing provisioning package.

    Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | - - -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index d09f0ee4b9b..b239dfb3d5c 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,16 +1,14 @@ --- -title: Create a provisioning package -description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. -ms.topic: article -ms.date: 12/31/2017 +title: Create a provisioning package (advanced) +description: Learn how to create a provisioning package for Windows, which lets you quickly configure a device without having to install a new image. +ms.topic: how-to +ms.date: 07/09/2024 --- -# Create a provisioning package +# Create a provisioning package (advanced) You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client. ->[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) - > [!TIP] > We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain. @@ -18,29 +16,14 @@ You can use Windows Configuration Designer to create a provisioning package (`.p 1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. -1. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: +1. Select **Advanced provisioning** on the start page, which offers multiple options for creating a provisioning package, as shown in the following image: ![Configuration Designer wizards.](images/icd-create-options-1703.png) - - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices: - - - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - - [Instructions for HoloLens wizard](/hololens/hololens-provisioning) - - [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) - - Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). - - - >[!NOTE] - >To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems. - - - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) - - >[!TIP] - > You can start a project in the simple wizard editor and then switch the project to the advanced editor. - > - > ![Switch to advanced editor.](images/icd-switch.png) + > [!TIP] + > You can start a project in the simple wizard editor and then switch the project to the advanced editor. + > + > ![Switch to advanced editor.](images/icd-switch.png) 1. Enter a name for your project, and then select **Next**. @@ -48,7 +31,7 @@ You can use Windows Configuration Designer to create a provisioning package (`.p | Windows edition | Settings available for customization | Provisioning package can apply to | |---|---|---| - | All Windows editions | Common settings | All Windows client devices | + | All Windows editions | Common settings | All Windows client devices | | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows client desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) | @@ -67,7 +50,10 @@ For an advanced provisioning project, Windows Configuration Designer opens the * ![What the ICD interface looks like.](images/icd-runtime.png) -The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). +The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md). + +> [!NOTE] +> To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems. The process for configuring settings is similar for all settings. The following table shows an example. @@ -83,11 +69,11 @@ The process for configuring settings is similar for all settings. The following :::image type="content" source="images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate."::: -1. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed: +1. Some settings, such as this example, require additional information. In **Available customizations**, select the value you created, and more settings are displayed: :::image type="content" source="images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available."::: -1. When the setting is configured, it is displayed in the **Selected customizations** pane: +1. When the setting is configured, it's displayed in the **Selected customizations** pane: :::image type="content" source="images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings."::: @@ -97,27 +83,26 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Build package -1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. +1. After you configure your customizations, select **Export**, and then select **Provisioning Package**. ![Export on top bar.](images/icd-export-menu.png) 1. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field. + - **Name** - This field is prepopulated with the project name. You can change this value by entering a different name in the **Name** field. + - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field. - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. 1. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: - - **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. - - >[!NOTE] - >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + - **Encrypt package** - If you select this option, an autogenerated password is shown on the screen. + - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. - > - >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. + > [!NOTE] + > You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + > + > If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. 1. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location. @@ -125,29 +110,17 @@ For details on each specific setting, see [Windows Provisioning settings referen If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page. -1. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +1. If your build fails, an error message appears that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory is shown. If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. -1. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page. - -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - -## Learn more - -- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) +1. When you're done, select **Finish** to close the wizard and go back to the **Customizations** page. -## Related articles +## Next steps -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +> [!div class="nextstepaction"] +> Learn more about applying a provisioning package: +> +> [Apply a provisioning package](provisioning-apply-package.md) \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index dc714cbc363..ec61311214d 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,13 +1,13 @@ --- -title: How provisioning works in Windows 10/11 +title: How provisioning works in Windows description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. -ms.topic: article -ms.date: 12/31/2017 +ms.topic: conceptual +ms.date: 07/09/2024 --- # How provisioning works in Windows -Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store. +Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the Microsoft Store. ## Provisioning packages @@ -30,15 +30,10 @@ You can use provisioning packages for runtime device provisioning by accessing When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence: 1. Microsoft - 1. Silicon Vendor - 1. OEM - 1. System Integrator - 1. Mobile Operator - 1. IT Admin The valid value range of package rank level is 0 to 99. @@ -130,16 +125,3 @@ When applying provisioning packages from a removable media attached to the devic When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. - -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index bfb515538f0..3b4fddb9b4f 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,15 +1,17 @@ --- title: Install Windows Configuration Designer -description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. -ms.topic: article +description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows. +ms.topic: how-to ms.reviewer: kevinsheehan -ms.date: 12/31/2017 +ms.date: 07/09/2024 --- -# Install Windows Configuration Designer, and learn about any limitations +# Install Windows Configuration Designer Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. +On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. + ## Supported platforms Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: @@ -18,32 +20,22 @@ Windows Configuration Designer can create provisioning packages for Windows clie - Windows 11 - Windows 10 - x86 and amd64 -- Windows 8.1 Update - x86 and amd64 -- Windows 8.1 - x86 and amd64 -- Windows 8 - x86 and amd64 -- Windows 7 - x86 and amd64 **Server OS**: +- Windows Server 2022 +- Windows Server 2019 - Windows Server 2016 -- Windows Server 2012 R2 Update -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - ->[!WARNING] ->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. -## Install Windows Configuration Designer - -On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. +> [!WARNING] +> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. ## Current Windows Configuration Designer limitations -- When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). +- When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). -- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled. +- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step displays oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons aren't displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled. - You can only run one instance of Windows Configuration Designer on your computer at a time. @@ -68,17 +60,10 @@ On devices running Windows client, you can install [the Windows Configuration De - **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device. -**Next step**: [How to create a provisioning package](provisioning-create-package.md) - -## Related articles +## Next steps -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +> [!div class="nextstepaction"] +> Learn more about creating a provisioning package: +> +> [Create a provisioning package (desktop wizard)](provision-pcs-for-initial-deployment.md) +> [Create a provisioning package (advanced)](provisioning-create-package.md) diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 64da06a98c5..01be2943f72 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -1,19 +1,19 @@ --- title: Create a provisioning package with multivariant settings description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. -ms.topic: article -ms.date: 12/31/2017 +ms.topic: how-to +ms.date: 07/09/2024 --- # Create a provisioning package with multivariant settings -In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. +In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that apply to devices set up for French and a different set of customization settings for devices set up for Japanese. To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. Let's begin by learning how to define a **Target**. -## Define a target +## Target In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value. @@ -43,9 +43,9 @@ The following table shows the conditions supported in Windows client provisionin | PNN | P0 | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | | GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | | ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | -| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | -| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


    - 0 - Empty
    - 1 - Ready
    - 2 - Locked | -| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


    - 0 - Slot 0
    - 1 - Slot 1 | +| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (nonroaming). | +| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of these values:
    0 - Empty
    1 - Ready
    2 - Locked | +| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of these values:
    0 - Slot 0
    1 - Slot 1 | | ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. | | ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. | | AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | @@ -53,17 +53,16 @@ The following table shows the conditions supported in Windows client provisionin | SocIdentifier | P1 | Supported | String | Use to target settings based on the Soc Identifier. Available since 25301 OS build version. | | Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | | Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | -| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | -| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | +| Region | P1 | Supported | Enumeration | Use to target settings based on region, using the two digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | +| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the two digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | The matching types supported in Windows client are: -| Matching type | Syntax | Example | -| --- | --- | --- | -| Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> | -| Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | -| Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> | - +| Matching type | Syntax | Example | +|-----------------------------------|-------------------------------------------|------------------------------------------------------------------------| +| Straight match | Matching type is specified as-is | `<Condition Name="ProcessorName" Value="Barton" />` | +| Regular expressions (Regex) match | Matching type is prefixed with `Pattern:` | `<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />` | +| Numeric range match | Matching type is prefixed with `!Range:` | `<Condition Name="MNC" Value="!Range:400, 550" />` | ### TargetState priorities @@ -76,27 +75,18 @@ Settings that match more than one **TargetState** with equal priority are applie The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed: 1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions. - 1. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions. - 1. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched. - -1. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. - +1. If the number of P0 conditions matched is equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. 1. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority. - - ## Create a provisioning package with multivariant settings Follow these steps to create a provisioning package with multivariant capabilities. 1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). - -1. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. - +1. After you [configure the settings](provisioning-create-package.md#configure-settings), save the project. 1. Open the project folder and copy the customizations.xml file to any local location. - 1. Use an XML or text editor to open the customizations.xml file. The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings. @@ -131,10 +121,9 @@ Follow these steps to create a provisioning package with multivariant capabiliti ``` -1. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. - - The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. +1. Edit the customizations.xml file to create a **Targets** section to describe the conditions that handle your multivariant settings. + The following example shows the customizations.xml, which is modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. ```XML @@ -185,18 +174,15 @@ Follow these steps to create a provisioning package with multivariant capabiliti 1. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: a. Define a child **TargetRefs** element. - - b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings. - c. Move compliant settings from the **Common** section to the **Variant** section. If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied. - >[!NOTE] - >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. + > [!NOTE] + > You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. - The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. + The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that are applied if the conditions for the variant are met. ```XML @@ -249,10 +235,9 @@ Follow these steps to create a provisioning package with multivariant capabiliti - ``` -1. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. +1. Save the updated customizations.xml file and note the path to this updated file. You'll need the path as one of the values for the next step. 1. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. @@ -262,13 +247,10 @@ Follow these steps to create a provisioning package with multivariant capabiliti icd.exe /Build-ProvisioningPackage /CustomizationXML:"C:\CustomProject\customizations.xml" /PackagePath:"C:\CustomProject\output.ppkg" /StoreFile:C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\Microsoft-Common-Provisioning.dat" ``` +In this example, the **StoreFile** corresponds to the location of the settings store that is used to create the package for the required Windows edition. -In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition. - ->[!NOTE] ->The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project. - - +> [!NOTE] +> The provisioning package created during this step contains the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project. ## Events that trigger provisioning @@ -276,26 +258,11 @@ When you install the multivariant provisioning package on a Windows client devic The following events trigger provisioning on Windows client devices: -| Event | Windows client for desktop editions | -| --- | --- | -| System boot | Supported | -| Operating system update | Planned | -| Package installation during device first run experience | Supported | -| Detection of SIM presence or update | Supported | -| Package installation at runtime | Supported | -| Roaming detected | Not supported | - - -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - +| Event | Windows client for desktop editions | +|---------------------------------------------------------|-------------------------------------| +| System boot | Supported | +| Operating system update | Planned | +| Package installation during device first run experience | Supported | +| Detection of SIM presence or update | Supported | +| Package installation at runtime | Supported | +| Roaming detected | Not supported | diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 13e86abb259..a226b877f35 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,9 +1,9 @@ --- title: Provisioning packages overview -description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. +description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages are and what they do. ms.reviewer: kevinsheehan -ms.topic: article -ms.date: 12/31/2017 +ms.topic: conceptual +ms.date: 07/08/2024 --- # Provisioning packages for Windows @@ -12,29 +12,17 @@ Windows provisioning makes it easy for IT administrators to configure end-user d A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization. - - +Provisioning packages are simple enough that with a short set of written instructions, a student, or nontechnical users can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization. Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - - - - - - - - - - ## Benefits of provisioning packages Provisioning packages let you: - Quickly configure a new device without going through the process of installing a new image. - Save time by configuring multiple devices using one provisioning package. -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. +- Quickly configure user-owned devices in an organization without a mobile device management (MDM) infrastructure. - Set up a device without the device having network connectivity. Provisioning packages can be: @@ -44,15 +32,42 @@ Provisioning packages can be: - Downloaded from a network share. - Deployed in NFC tags or barcodes. +## Provisioning scenarios + +WCD supports the following scenarios for IT administrators: + +- **Simple provisioning** - Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) + +- **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** - Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + +- **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + - Microsoft Intune (certificate-based enrollment) + - AirWatch (password-string based enrollment) + - MobileIron (password-string based enrollment) + - Other MDMs (cert-based enrollment) + +> [!NOTE] +> The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store. + +:::image type="content" source="images/icd.png" alt-text="Configuration Designer options"::: + ## What you can configure -### Configuration Designer wizards +Windows Configuration Designer provides the following simple provisioning scenarios: + +- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) +- [Instructions for the kiosk wizard](../assigned-access/overview.md) +- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard) +- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. | Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard | | --- | --- | --- | --- | --- | -| Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove pre-installed software | ✅ | ✅ | ✅ | +| Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove preinstalled software | ✅ | ✅ | ✅ | | Set up network | Connect to a Wi-Fi network | ✅ | ✅ | ✅ | | Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✅ | ✅ | ✅ | | Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token

    [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✅ | ✅ | ✅ | @@ -62,14 +77,10 @@ The following table describes settings that you can configure using the wizards | Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✅ | ❌ | | Developer Setup | Enable Developer Mode | ❌ | ❌ | ✅ | -- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) -- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) -- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard) - ->[!NOTE] ->After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. +> [!TIP] +> After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. -### Configuration Designer advanced editor +## Configuration Designer advanced editor The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. @@ -77,7 +88,7 @@ The following table provides some examples of settings that you can configure us |---|---| | Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | | Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service

    Using a provisioning package for auto-enrollment to Microsoft Intune isn't supported. To enroll devices, use the Configuration Manager console. | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service

    Using a provisioning package for autoenrollment to Microsoft Intune isn't supported. To enroll devices, use the Configuration Manager console. | | Certificates | Root certification authority (CA), client certificates | | Connectivity profiles | Wi-Fi, proxy settings, Email | | Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | @@ -87,33 +98,6 @@ The following table provides some examples of settings that you can configure us For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - - - - - -WCD, simplified common provisioning scenarios. - -:::image type="content" source="images/icd.png" alt-text="Configuration Designer options"::: - -WCD supports the following scenarios for IT administrators: - -- **Simple provisioning** - Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - - [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) - -- **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** - Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - -- **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - - Microsoft Intune (certificate-based enrollment) - - AirWatch (password-string based enrollment) - - MobileIron (password-string based enrollment) - - Other MDMs (cert-based enrollment) - - - - ## Related articles - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 4c938d7786d..d8292d3413d 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -1,17 +1,14 @@ --- -title: PowerShell cmdlets for provisioning Windows 10/11 -description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. -ms.topic: article - -ms.date: 12/31/2017 +title: PowerShell cmdlets for provisioning packages in Windows +description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows devices. +ms.topic: conceptual +ms.date: 07/09/2024 --- -# PowerShell cmdlets for provisioning Windows client (reference) +# PowerShell cmdlets for provisioning Windows client Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. -## cmdlets - - **Add-ProvisioningPackage**: Applies a provisioning package. Syntax: @@ -59,7 +56,7 @@ Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it e - `Uninstall-TrustedProvisioningCertificate ` ->[!NOTE] +> [!NOTE] > You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: @@ -69,20 +66,5 @@ Trace logs are captured when using cmdlets. The following logs are available in - ProvTrace.<timestamp>.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file - ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file - - ->[!NOTE] ->When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. - -## Related articles - -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - +> [!NOTE] +> When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 199616a94e8..970ed677639 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -1,8 +1,8 @@ --- title: Use a script to install a desktop app in provisioning packages -description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.topic: article -ms.date: 12/31/2017 +description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.topic: how-to +ms.date: 07/09/2024 --- # Use a script to install a desktop app in provisioning packages @@ -57,14 +57,14 @@ Create a script to perform whatever work is needed to install the application(s) You don't need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). ->[!NOTE] ->All actions performed by the script must happen silently, showing no UI and requiring no user interaction. +> [!NOTE] > ->The scripts will be run on the device in system context. +> - All actions performed by the script must happen silently, showing no UI and requiring no user interaction. +> - The scripts will be run on the device in system context. ### Debugging example -Granular logging isn't built in, so the logging must be built into the script itself. Here's an example script that logs 'Hello World' to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you'll see in the following examples, it's recommended that you log each action that your script performs. +Granular logging isn't built in, so the logging must be built into the script itself. Here's an example script that logs `Hello World` to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you'll see in the following examples, it's recommended that you log each action that your script performs. ```log set LOGFILE=%SystemDrive%\HelloWorld.log @@ -105,8 +105,6 @@ PsExec.exe -accepteula -i -s cmd.exe /c 'powershell.exe my_powershell_script.ps1 echo result: %ERRORLEVEL% >> %LOGFILE% ``` - - ### Extract from a .CAB example This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe @@ -178,20 +176,14 @@ When you're done, [build the package](provisioning-create-package.md#build-packa 1. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. 1. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and "please wait" will be displayed on the screen. - >[!NOTE] - >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. + > [!NOTE] + > There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 1. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there's no notification that provisioning or script execution has completed -## Related articles - -- [Provisioning packages for Windows client](provisioning-packages.md) -- [How provisioning works in Windows client](provisioning-how-it-works.md) -- [Install Windows Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +## Next steps + +> [!div class="nextstepaction"] +> Learn more about applying a provisioning package: +> +> [Apply a provisioning package](provisioning-apply-package.md) \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 9a75ffc29b2..a4f68379eeb 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -1,19 +1,18 @@ --- -title: Uninstall a provisioning package - reverted settings -description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. -ms.topic: article -ms.date: 12/31/2017 +title: Settings changed when you uninstall a provisioning package +description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows desktop client devices. +ms.topic: conceptual +ms.date: 07/09/2024 --- # Settings changed when you uninstall a provisioning package -When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. - -As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. +When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible. -Only settings in the following lists are revertible. +> [!IMPORTANT] +> Only settings in the following lists are revertible. ## Registry-based settings @@ -21,8 +20,8 @@ The registry-based settings that are revertible when a provisioning package is u - [Wi-Fi Sense](../wcd/wcd-connectivityprofiles.md#wifisense) - [CountryAndRegion](../wcd/wcd-countryandregion.md) -- DeviceManagement / PGList/ LogicalProxyName -- UniversalAppInstall / LaunchAppAtLogin +- [DeviceManagement / PGList / LogicalProxyName](../wcd/wcd-devicemanagement.md#pglist) +- [UniversalAppInstall](../wcd/wcd-universalappinstall.md) / LaunchAppAtLogin - [Power](/previous-versions//dn953704(v=vs.85)) - [TabletMode](../wcd/wcd-tabletmode.md) - [Maps](../wcd/wcd-maps.md) @@ -33,26 +32,26 @@ The registry-based settings that are revertible when a provisioning package is u ## CSP-based settings -Here is the list of revertible settings based on configuration service providers (CSPs). - -[ActiveSync CSP](/windows/client-management/mdm/activesync-csp) -[AppLocker CSP](/windows/client-management/mdm/applocker-csp) -[BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) -[CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) -[ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) -[RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) -[CM_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) -[CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) -[CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) -[CMPolicyEnterprise CSP](/windows/client-management/mdm/cmpolicyenterprise-csp) -[EMAIL2 CSP](/windows/client-management/mdm/email2-csp) -[EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) -[EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) -[EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) -[NAP CSP](/windows/client-management/mdm/nap-csp) -[PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) -[Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -[SecureAssessment CSP](/windows/client-management/mdm/secureassessment-csp) -[VPN CSP](/windows/client-management/mdm/vpn-csp) -[VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) -[WiFi CSP](/windows/client-management/mdm/wifi-csp) +Here's the list of revertible settings based on configuration service providers (CSPs). + +- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) +- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) +- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) +- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) +- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) +- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) +- [CM_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) +- [CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) +- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) +- [CMPolicyEnterprise CSP](/windows/client-management/mdm/cmpolicyenterprise-csp) +- [EMAIL2 CSP](/windows/client-management/mdm/email2-csp) +- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) +- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) +- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) +- [NAP CSP](/windows/client-management/mdm/nap-csp) +- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) +- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) +- [SecureAssessment CSP](/windows/client-management/mdm/secureassessment-csp) +- [VPN CSP](/windows/client-management/mdm/vpn-csp) +- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) +- [WiFi CSP](/windows/client-management/mdm/wifi-csp) diff --git a/windows/configuration/provisioning-packages/toc.yml b/windows/configuration/provisioning-packages/toc.yml index 818ccc679ee..2e5266898dc 100644 --- a/windows/configuration/provisioning-packages/toc.yml +++ b/windows/configuration/provisioning-packages/toc.yml @@ -1,29 +1,35 @@ items: - - name: Provisioning packages for Windows client + - name: Overview href: provisioning-packages.md - - name: How provisioning works in Windows client + - name: How provisioning works href: provisioning-how-it-works.md - - name: Introduction to configuration service providers (CSPs) - href: how-it-pros-can-use-configuration-service-providers.md - - name: Install Windows Configuration Designer - href: provisioning-install-icd.md - - name: Create a provisioning package - href: provisioning-create-package.md - - name: Apply a provisioning package - href: provisioning-apply-package.md - - name: Settings changed when you uninstall a provisioning package - href: provisioning-uninstall-package.md - - name: Provision PCs with common settings for initial deployment (desktop wizard) - href: provision-pcs-for-initial-deployment.md - - name: Provision PCs with apps - href: provision-pcs-with-apps.md - - name: Use a script to install a desktop app in provisioning packages - href: provisioning-script-to-install-app.md + - name: Quickstarts + items: + - name: Install Windows Configuration Designer + href: provisioning-install-icd.md + - name: Create a provisioning package (desktop wizard) + href: provision-pcs-for-initial-deployment.md + - name: Create a provisioning package (advanced) + href: provisioning-create-package.md + - name: Apply a provisioning package + href: provisioning-apply-package.md + - name: Provision apps + items: + - name: Provision apps + href: provision-pcs-with-apps.md + - name: Use a script to install a desktop app + href: provisioning-script-to-install-app.md - name: Create a provisioning package with multivariant settings href: provisioning-multivariant.md - - name: PowerShell cmdlets for provisioning Windows client (reference) - href: provisioning-powershell.md - name: Diagnose provisioning packages href: diagnose-provisioning-packages.md - - name: Windows Configuration Designer command-line interface (reference) - href: provisioning-command-line.md \ No newline at end of file + - name: Settings changed when you uninstall a provisioning package + href: provisioning-uninstall-package.md + - name: Reference + items: + - name: Introduction to configuration service providers (CSPs) + href: how-it-pros-can-use-configuration-service-providers.md + - name: Windows Configuration Designer command-line interface + href: provisioning-command-line.md + - name: PowerShell cmdlets for provisioning Windows client + href: provisioning-powershell.md \ No newline at end of file diff --git a/windows/configuration/start/customize-and-export-start-layout.md b/windows/configuration/start/customize-and-export-start-layout.md deleted file mode 100644 index 725c7c87564..00000000000 --- a/windows/configuration/start/customize-and-export-start-layout.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Customize and export Start layout -description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. -ms.topic: how-to -appliesto: -- ✅ Windows 10 -ms.date: 08/18/2023 -ms.collection: - - tier1 ---- - -# Customize and export Start layout - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. - -After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. - -When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start. - -When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups. - -> [!NOTE] -> Partial Start layout is only supported on Windows 10, version 1511 and later. - -You can deploy the resulting .xml file to devices using one of the following methods: - -- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -## Customize the Start screen on your test computer - -To prepare a Start layout for export, you simply customize the Start layout on a test computer. - -To prepare a test computer: - -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. -1. Create a new user account that you'll use to customize the Start layout. - -To customize Start: - -1. Sign in to your test computer with the user account that you created. -1. Customize the Start layout as you want users to see it by using the following techniques: - - - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**. - To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**. - - **Drag tiles** on Start to reorder or group apps. - - **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.** - - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group. - -> [!IMPORTANT] -> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in. -> -> In earlier versions of Windows 10, no tile would be pinned. - -### Export the Start layout - -When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ - -> [!IMPORTANT] -> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. - -To export the Start layout to an .xml file: - -1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**. -1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - - `Export-StartLayout -path .xml` - - On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: - - ```PowerShell - Export-StartLayout -UseDesktopApplicationID -Path layout.xml - ``` - - In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). - - Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. - - Example of a layout file produced by `Export-StartLayout`: - - ```xml - - - - - - - - - - - - - - - ``` - -1. (Optional) Edit the .xml file to add [a taskbar configuration](../taskbar/configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order) - -> [!IMPORTANT] -> If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. - -> [!NOTE] -> All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout. -> -> For scripts and application tile pins to work correctly, follow these rules: -> ->- Executable files and scripts should be listed in \Program Files or wherever the installer of the app places them. ->- Shortcuts that will pinned to Start should be placed in \ProgramData\Microsoft\Windows\Start Menu\Programs. ->- If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start. ->- Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level. ->- Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\. - -### Configure a partial Start layout - -A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. - -![locked tile group.](images/start-pinned-app.png) - -When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. - -When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added. - -If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked. - -To configure a partial Start screen layout: - -1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer). -1. [Export the Start layout](#export-the-start-layout). -1. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - - ```xml - - ``` - -1. Save the file and apply using any of the deployment methods. - -> [!NOTE] -> Office 2019 tiles might be removed from the Start menu when you upgrade Office 201. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed. diff --git a/windows/configuration/start/customize-start-menu-layout-windows-11.md b/windows/configuration/start/customize-start-menu-layout-windows-11.md deleted file mode 100644 index e8995d4ee4f..00000000000 --- a/windows/configuration/start/customize-start-menu-layout-windows-11.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Add or remove pinned apps on the Start menu in Windows 11 -description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -ms.date: 01/10/2023 -ms.topic: article -appliesto: -- ✅ Windows 11 ---- - -# Customize the Start menu layout on Windows 11 - -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). - -Your organization can deploy a customized Start layout to your Windows 11 devices. Customizing the Start layout is common when you have similar devices used by many users, or you want to pin specific apps. - -For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more. - -To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). - -This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune policy. - -## Before you begin - -- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes. - - To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy. - -- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. - - In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - - - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) - -## Start menu features and areas - -In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons: - -:::image type="content" source="./images/start-windows-11.png" alt-text="Sample start menu layout on Windows 11 that shows pinned apps, access to all apps, and recommended files."::: - -Start has the following areas: - -- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default. - - This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json). - -- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. - - The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list. - - In **Intune**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). - - In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: - - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` - - `User Configuration\Administrative Templates\Start Menu and Taskbar` - -- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy. - - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu` - -## Create the JSON file - -On an existing Windows 11 device, set up your own Start layout with the pinned apps you want users to see. Then, use the [Windows PowerShell Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet to export the existing layout to a `LayoutModification.json` file. - -The JSON file controls the Start menu layout, and lists all the apps that are pinned. You can update the JSON file to: - -- Change the order of existing apps. The apps in the JSON file are shown on Start in the same order. -- Add more apps by entering the app ID. For more information, see [Get the pinnedList JSON](#get-the-pinnedlist-json) (in this article). - -If you're familiar with creating JSON files, you can create your own `LayoutModification.json` file. But, it's easier and faster to export the layout from an existing device. - -### Export an existing Start layout - -1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder. -1. On a Windows 11 device, open the Windows PowerShell app. -1. Run the following cmdlet. Name the file `LayoutModification.json`. - - ```powershell - Export-StartLayout -Path "C:\Layouts\LayoutModification.json" - - ``` - -### Get the pinnedList JSON - -1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json). -1. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section. - - In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned: - - ```json - { - "pinnedList": [ - { "desktopAppId": "MSEdge" }, - { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, - { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, - { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } - ] - } - ``` - -1. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys: - -| Key | Description | -|--|--| -| packagedAppID | Use this option for Universal Windows Platform apps. To pin a UWP app, use the app's AUMID. | -| desktopAppID | Use this option for unpackaged Win32 apps. To pin a Win32 app, use the app's AUMID. If the app doesn't have an AUMID, then enter the `desktopAppLink` instead. | -| desktopAppLink | Use this option for unpackaged Win32 apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. | - -## Use MDM to create and deploy a pinned list policy - -Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization. - -MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. - -This section shows you how to create a pinned list policy in Intune. There isn't a Group Policy to create a pinned list. - -### Create a pinned list using an Intune policy - -To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment). - -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Configuration profiles** > **Create profile**. -1. Enter the following properties: - - - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Custom**. - -1. Select **Create**. -1. In **Basics**, enter the following properties: - - - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is **Win11: Custom Start layout**. - - **Description**: Enter a description for the profile. This setting is optional, and recommended. - -1. Select **Next**. -1. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties: - - - **Name**: Enter something like **Configure Start pins**. - - **Description**: Enter a description for the row. This setting is optional, and recommended. - - **OMA-URI**: Enter `./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins`. - - **Data type**: Select **String**. - - **Value**: Paste the JSON you created or updated in the previous section. For example, enter the following text: - - ```json - { - "pinnedList": [ - { "desktopAppId": "MSEdge" }, - { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, - { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, - { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } - ] - } - ``` - - Your settings look similar to the following settings: - - :::image type="content" source="./images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList"::: - -1. Select **Save** > **Next** to save your changes. -1. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure). - -The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md). - -### Deploy the policy using Intune - -When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time. - -For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md deleted file mode 100644 index 6702f5d255e..00000000000 --- a/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Customize Windows 10 Start and taskbar with group policy -description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. -ms.date: 12/31/2017 -ms.topic: how-to -appliesto: -- ✅ Windows 10 ---- - -# Customize Windows 10 Start and taskbar with Group Policy - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. - -This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. - ->[!WARNING] ->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) - -## Operating system requirements - -In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro. - -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base. - -## How Start layout control works - -Three features enable Start and taskbar layout control: - -- The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - >[!NOTE] - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. -- [You can modify the Start .xml file](../taskbar/configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. -- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case. - ->[!NOTE] ->To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). - -## Use Group Policy to apply a customized Start layout in a domain - -To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. - -The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. - -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. - -The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users' computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar. - -For information about deploying GPOs in a domain, see [Working with Group Policy Objects](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). - -## Use Group Policy to apply a customized Start layout on the local computer - -You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. - ->[!NOTE] ->This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment). -> ->This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](/previous-versions/windows/it-pro/windows-vista/cc766291(v=ws.10)). The guide was written for Windows Vista and the procedures still apply to Windows 10. - -This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer. - -**To configure Start Layout policy settings in Local Group Policy Editor** - -1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. -1. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings.](images/starttemplate.jpg) -1. Right-click **Start Layout** in the right pane, and click **Edit**. - This opens the **Start Layout** policy settings. - ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) -1. Enter the following settings, and then click **OK**: - 1. Select **Enabled**. - 1. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. - 1. Optionally, enter a comment to identify the Start and taskbar layout. - - > [!IMPORTANT] - > If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: - > - > `(ls ).LastWriteTime = Get-Date` - -## Update a customized Start layout - -After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp. diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md deleted file mode 100644 index 1b378a93cad..00000000000 --- a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. -ms.topic: article -appliesto: -- ✅ Windows 10 -ms.date: 08/05/2021 ---- - -# Customize Windows 10 Start and taskbar with mobile device management (MDM) - ->**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead. - ->[!NOTE] ->Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization). - ->[!WARNING] ->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. - -## How Start layout control works - -Two features enable Start layout control: - -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - >[!NOTE] - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. - -- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. - - >[!NOTE] - >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. - -## Create a policy for your customized Start layout - -The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout: - -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. Select **Devices** > **Configuration profiles** > **Create profile**. - -1. Enter the following properties: - - - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. - -1. In **Basics**, enter the following properties: - - - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. - -1. Select **Next**. - -1. In **Configuration settings**, select **Start**: - - - If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file. - - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). - -1. Select **Next**. -1. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). -1. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). -1. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. - -> [!NOTE] -> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md deleted file mode 100644 index b8653f7973f..00000000000 --- a/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -title: Customize Windows 10 Start and taskbar with provisioning packages -description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. -ms.topic: article -appliesto: -- ✅ Windows 11 -ms.date: 12/31/2017 ---- - -# Customize Windows 10 Start and taskbar with provisioning packages - -> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -> [!NOTE] -> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 1. It's not supported on Windows 11. - -In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. - -> [!IMPORTANT] -> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. - -## How Start layout control works - -Three features enable Start and taskbar layout control: - -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - > [!NOTE] - > To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. - -- [You can modify the Start .xml file](../taskbar/configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. - -- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout. - - - -## Prepare the Start layout XML file - -The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. - -1. Copy the contents of layout.xml into an online tool that escapes characters. - -1. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. - -## Create a provisioning package that contains a customized Start layout - -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md) - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -1. Choose **Advanced provisioning**. - -1. Name your project, and click **Next**. - -1. Choose **All Windows desktop editions** and click **Next**. - -1. On **New project**, click **Finish**. The workspace for your package opens. - -1. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**. - - > [!TIP] - > If **Start** is not listed, check the type of settings you selected in step 1. You must create the project using settings for **All Windows desktop editions**. - -1. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step. - -1. Save your project and close Windows Configuration Designer. - -1. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) - -1. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) - -1. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). - -1. Save and close the customizations.xml file. - -1. Open Windows Configuration Designer and open your project. - -1. On the **File** menu, select **Save.** - -1. On the **Export** menu, select **Provisioning package**. - -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. - -1. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -1. Click **Next**. - -1. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -1. Copy the provisioning package to the target device. -1. Double-click the ppkg file and allow it to install. diff --git a/windows/configuration/start/images/customization-start-edge.PNG b/windows/configuration/start/images/customization-start-edge.PNG deleted file mode 100644 index 333833d8c09..00000000000 Binary files a/windows/configuration/start/images/customization-start-edge.PNG and /dev/null differ diff --git a/windows/configuration/start/images/customization-start.PNG b/windows/configuration/start/images/customization-start.PNG deleted file mode 100644 index 49423381818..00000000000 Binary files a/windows/configuration/start/images/customization-start.PNG and /dev/null differ diff --git a/windows/configuration/start/images/edge-with-logo.png b/windows/configuration/start/images/edge-with-logo.png deleted file mode 100644 index cc3504a6788..00000000000 Binary files a/windows/configuration/start/images/edge-with-logo.png and /dev/null differ diff --git a/windows/configuration/start/images/edge-without-logo.png b/windows/configuration/start/images/edge-without-logo.png deleted file mode 100644 index 52085a2d685..00000000000 Binary files a/windows/configuration/start/images/edge-without-logo.png and /dev/null differ diff --git a/windows/configuration/start/images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png b/windows/configuration/start/images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png deleted file mode 100644 index cd508b3dea9..00000000000 Binary files a/windows/configuration/start/images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png and /dev/null differ diff --git a/windows/configuration/start/images/start-pinned-app.png b/windows/configuration/start/images/start-pinned-app.png deleted file mode 100644 index e1e4a24a00c..00000000000 Binary files a/windows/configuration/start/images/start-pinned-app.png and /dev/null differ diff --git a/windows/configuration/start/images/start-windows-11.png b/windows/configuration/start/images/start-windows-11.png deleted file mode 100644 index 9cafb224bf1..00000000000 Binary files a/windows/configuration/start/images/start-windows-11.png and /dev/null differ diff --git a/windows/configuration/start/images/startannotated.png b/windows/configuration/start/images/startannotated.png deleted file mode 100644 index 9261fd90785..00000000000 Binary files a/windows/configuration/start/images/startannotated.png and /dev/null differ diff --git a/windows/configuration/start/images/startlayoutpolicy.jpg b/windows/configuration/start/images/startlayoutpolicy.jpg deleted file mode 100644 index d3c8d054fe5..00000000000 Binary files a/windows/configuration/start/images/startlayoutpolicy.jpg and /dev/null differ diff --git a/windows/configuration/start/images/starttemplate.jpg b/windows/configuration/start/images/starttemplate.jpg deleted file mode 100644 index 900eed08c54..00000000000 Binary files a/windows/configuration/start/images/starttemplate.jpg and /dev/null differ diff --git a/windows/configuration/start/images/taskbar-generic.png b/windows/configuration/start/images/taskbar-generic.png deleted file mode 100644 index 6d47a6795a9..00000000000 Binary files a/windows/configuration/start/images/taskbar-generic.png and /dev/null differ diff --git a/windows/configuration/start/images/windows-10-partial-layout.png b/windows/configuration/start/images/windows-10-partial-layout.png new file mode 100644 index 00000000000..4650cc42cf4 Binary files /dev/null and b/windows/configuration/start/images/windows-10-partial-layout.png differ diff --git a/windows/configuration/start/images/windows-10-secondary-tile.png b/windows/configuration/start/images/windows-10-secondary-tile.png new file mode 100644 index 00000000000..01e25ef3bc5 Binary files /dev/null and b/windows/configuration/start/images/windows-10-secondary-tile.png differ diff --git a/windows/configuration/start/images/windows-10-settings.png b/windows/configuration/start/images/windows-10-settings.png new file mode 100644 index 00000000000..496c2a62c2f Binary files /dev/null and b/windows/configuration/start/images/windows-10-settings.png differ diff --git a/windows/configuration/start/images/windows-10.png b/windows/configuration/start/images/windows-10.png new file mode 100644 index 00000000000..98db149a776 Binary files /dev/null and b/windows/configuration/start/images/windows-10.png differ diff --git a/windows/configuration/start/images/windows-11-secondary-tile.png b/windows/configuration/start/images/windows-11-secondary-tile.png new file mode 100644 index 00000000000..7e7600dcc38 Binary files /dev/null and b/windows/configuration/start/images/windows-11-secondary-tile.png differ diff --git a/windows/configuration/start/images/windows-11-settings.png b/windows/configuration/start/images/windows-11-settings.png new file mode 100644 index 00000000000..18150b3ff8d Binary files /dev/null and b/windows/configuration/start/images/windows-11-settings.png differ diff --git a/windows/configuration/start/images/windows-11.png b/windows/configuration/start/images/windows-11.png new file mode 100644 index 00000000000..32925b625e2 Binary files /dev/null and b/windows/configuration/start/images/windows-11.png differ diff --git a/windows/configuration/start/includes/allow-pinned-folder-documents.md b/windows/configuration/start/includes/allow-pinned-folder-documents.md new file mode 100644 index 00000000000..85de1af61ce --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-documents.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Documents + +This policy controls the visibility of the Documents shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Documents shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Documents shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderdocuments) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-downloads.md b/windows/configuration/start/includes/allow-pinned-folder-downloads.md new file mode 100644 index 00000000000..b10fa9128e5 --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-downloads.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Downloads + +This policy controls the visibility of the Downloads shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Downloads shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Downloads shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderdownloads) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-file-explorer.md b/windows/configuration/start/includes/allow-pinned-folder-file-explorer.md new file mode 100644 index 00000000000..2c0fb926a36 --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-file-explorer.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder File Explorer + +This policy controls the visibility of the File Explorer shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the File Explorer shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the File Explorer shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderfileexplorer) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-home-group.md b/windows/configuration/start/includes/allow-pinned-folder-home-group.md new file mode 100644 index 00000000000..933eb328aae --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-home-group.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Home Group + +This policy controls the visibility of the Home Group shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Home Group shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Home Group shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderhomegroup) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-music.md b/windows/configuration/start/includes/allow-pinned-folder-music.md new file mode 100644 index 00000000000..b70d8557ba2 --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-music.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Music + +This policy controls the visibility of the Music shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Music shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Music shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#allowpinnedfoldermusic) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-network.md b/windows/configuration/start/includes/allow-pinned-folder-network.md new file mode 100644 index 00000000000..b9e3defc32b --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-network.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Network + +This policy controls the visibility of the Network shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Network shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Network shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderNetword](/windows/client-management/mdm/policy-csp-start#allowpinnedfoldernetwork) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-personal-folder.md b/windows/configuration/start/includes/allow-pinned-folder-personal-folder.md new file mode 100644 index 00000000000..c80c7e6a096 --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-personal-folder.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Personal Folder + +This policy controls the visibility of the Personal Folder shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Personal Folder shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Personal Folder shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderpersonalfolder) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-pictures.md b/windows/configuration/start/includes/allow-pinned-folder-pictures.md new file mode 100644 index 00000000000..07c10b80144 --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-pictures.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Pictures + +This policy controls the visibility of the Pictures shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Pictures shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Pictures shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#allowpinnedfolderpictures) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-settings.md b/windows/configuration/start/includes/allow-pinned-folder-settings.md new file mode 100644 index 00000000000..0cf19f323fa --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-settings.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Settings + +This policy controls the visibility of the Settings shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Settings shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Settings shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#allowpinnedfoldersettings) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/allow-pinned-folder-videos.md b/windows/configuration/start/includes/allow-pinned-folder-videos.md new file mode 100644 index 00000000000..0d8ccdca7cc --- /dev/null +++ b/windows/configuration/start/includes/allow-pinned-folder-videos.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Allow pinned folder Videos + +This policy controls the visibility of the Videos shortcut on the *Pinned folder* section of the Start menu: + +- When enabled, the Videos shortcut is displayed in the Pinned folder section of the Start menu +- When disabled, the Videos shortcut is not displayed in the Pinned folder section of the Start menu + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#allowpinnedfoldervideos) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/clear-history-of-recently-opened-documents-on-exit.md b/windows/configuration/start/includes/clear-history-of-recently-opened-documents-on-exit.md new file mode 100644 index 00000000000..a81f0280570 --- /dev/null +++ b/windows/configuration/start/includes/clear-history-of-recently-opened-documents-on-exit.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Clear history of recently opened documents on exit + +If you enable this policy setting, shortcuts to recently used files are deleted when the user signs out: + +- The **Recent Items** section on the Start menu is cleared +- Recently and frequently used items in the jump lists of programs in the Start menu and Taskbar are cleared + +If you disable or don't configure this policy setting, the system retains document shortcuts. When a user signs in, the **Recent Items** menu and the jump lists appear as when the user logged off. + +> [!NOTE] +> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Clear history of recently opened documents on exit** | diff --git a/windows/configuration/start/includes/clear-the-recent-programs-list-for-new-users.md b/windows/configuration/start/includes/clear-the-recent-programs-list-for-new-users.md new file mode 100644 index 00000000000..cb6caaaf105 --- /dev/null +++ b/windows/configuration/start/includes/clear-the-recent-programs-list-for-new-users.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Clear the recent programs list for new users + +If you enable this policy setting, the recent programs list in the start menu is empty for each new user. If you disable or don't configure this policy setting, the start menu *recent programs list* is prepopulated with programs for each new user. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Clear the recent programs list for new users** | diff --git a/windows/configuration/start/includes/clear-tile-notifications-during-log-on.md b/windows/configuration/start/includes/clear-tile-notifications-during-log-on.md new file mode 100644 index 00000000000..59c2b071329 --- /dev/null +++ b/windows/configuration/start/includes/clear-tile-notifications-during-log-on.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Clear tile notifications during log on + +If you enable this policy setting, the system deletes tile notifications when the user signs on. As a result, the tiles in the Start menu always show their default content when a user signs in. Any cached versions of the notifications are cleared when the user signs in. If you disable or don't configure this setting, the system retains notifications, and when a user signs in, the tiles appear just as they did when the user signed out, including the history of previous notifications for each tile. This policy setting doesn't prevent new notifications from appearing. + +| | Path | +|--|--| +| **CSP** | ./Device/Vendor/MSFT/[Setting]() | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/start/includes/configure-start-layout.md b/windows/configuration/start/includes/configure-start-layout.md new file mode 100644 index 00000000000..fca0c5315d6 --- /dev/null +++ b/windows/configuration/start/includes/configure-start-layout.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Configure Start layout + +This policy setting lets you specify the Start layout for users, preventing them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the `Export-StartLayout` PowerShell cmdlet. To use this setting, you must first manually configure a device's Start layout to the desired look and feel. Then, run the `Export-StartLayout` PowerShell cmdlet on that same device. The cmdlet generates an XML file representing the layout you configured. Once the XML file is generated and moved to the desired file path, use the fully qualified path and name of the XML file. You can use a local path, or a UNC path. If the specified file isn't available when the user signs in, the layout isn't changed. Users can't customize the Start layout while this setting is enabled. If you disable this setting or don't configure it, the Start screen layout isn't changed and users can customize it. + +| | Path | +|--|--| +| **CSP** | [Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | + +For more information, see [Customize the Start layout](../layout.md). diff --git a/windows/configuration/start/includes/configure-start-pins.md b/windows/configuration/start/includes/configure-start-pins.md new file mode 100644 index 00000000000..9f24b17c31f --- /dev/null +++ b/windows/configuration/start/includes/configure-start-pins.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 10/30/2023 +ms.topic: include +--- + +### Configure Start pins + +This policy setting lets you specify a new list of pinned apps to override the default/current list of pinned apps in the Windows Start menu. + +The policy setting accepts a JSON file that contains the list of items to pin, and their order. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-start#configurestartpins)

    `./User/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-start#configurestartpins)| +| **GPO** | Not available | + +For more information, see [Customize the Start layout](../layout.md). diff --git a/windows/configuration/start/includes/disable-context-menus.md b/windows/configuration/start/includes/disable-context-menus.md new file mode 100644 index 00000000000..e502478b6fe --- /dev/null +++ b/windows/configuration/start/includes/disable-context-menus.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Disable context menus + +With this policy setting you can prevent users from opening the context menus in the Start menu. If you enable this policy, then invocations of context menus within the Start menu is ignored. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[DisableContextMenus](/windows/client-management/mdm/policy-csp-start#disablecontextmenus)

    `./User/Vendor/MSFT/Policy/Config/Start/`[DisableContextMenus](/windows/client-management/mdm/policy-csp-start#disablecontextmenus)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Disable context menus in the Start Menu** | diff --git a/windows/configuration/start/includes/disable-search.md b/windows/configuration/start/includes/disable-search.md new file mode 100644 index 00000000000..5de3b6fa117 --- /dev/null +++ b/windows/configuration/start/includes/disable-search.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Disable search + +When you enable this policy setting, the Search UI and all its entry points are disabled, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar buttons are hidden. If you disable or don't configure this policy setting, users can open the Search UI and its different entry points are available. + + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Search/`[DisableSearch](/windows/client-management/mdm/policy-csp-search#disablesearch)| +| **GPO** | **Computer Configuration** > **Windows Components** > **Search** > **Fully disable Search UI** | diff --git a/windows/configuration/start/includes/do-not-use-the-search-based-method-when-resolving-shell-shortcuts.md b/windows/configuration/start/includes/do-not-use-the-search-based-method-when-resolving-shell-shortcuts.md new file mode 100644 index 00000000000..55a74cc1907 --- /dev/null +++ b/windows/configuration/start/includes/do-not-use-the-search-based-method-when-resolving-shell-shortcuts.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Don't use the search-based method when resolving shell shortcuts + +This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. If you enable this policy setting, the system doesn't conduct the final drive search. It just displays a message explaining that the file isn't found. If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. Note: This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. + +| | Path | +|--|--| +| **CSP** | ./Device/Vendor/MSFT/[Setting]() | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the search-based method when resolving shell shortcuts** | diff --git a/windows/configuration/start/includes/do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts.md b/windows/configuration/start/includes/do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts.md new file mode 100644 index 00000000000..a877effc15c --- /dev/null +++ b/windows/configuration/start/includes/do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Don't use the tracking-based method when resolving shell shortcuts + +This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. If you enable this policy setting, the system doesn't try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. Note: This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. + +| | Path | +|--|--| +| **CSP** | ./Device/Vendor/MSFT/[Setting]() | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the tracking-based method when resolving shell shortcuts** | diff --git a/windows/configuration/start/includes/example-assets.md b/windows/configuration/start/includes/example-assets.md new file mode 100644 index 00000000000..1a9db2bdb8b --- /dev/null +++ b/windows/configuration/start/includes/example-assets.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +Example of the output of the PowerShell cmdlet `Export-StartLayoutEdgeAssets`: + +```xml + + + + Base64 encoded value of the logo + + + + Base64 encoded value of the logo + + +``` \ No newline at end of file diff --git a/windows/configuration/start/includes/example-secondary-tiles.md b/windows/configuration/start/includes/example-secondary-tiles.md new file mode 100644 index 00000000000..1f1a7197b54 --- /dev/null +++ b/windows/configuration/start/includes/example-secondary-tiles.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +Example of secondary tiles in XML generated by the PowerShell cmdlet `Export-StartLayout`: + +```xml + +``` diff --git a/windows/configuration/start/includes/example-start-layout.md b/windows/configuration/start/includes/example-start-layout.md new file mode 100644 index 00000000000..94957b8fa91 --- /dev/null +++ b/windows/configuration/start/includes/example-start-layout.md @@ -0,0 +1,57 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +::: zone pivot="windows-10" + +```xml + + + + + + + + + + + + + + + + + + + + + + +``` + +::: zone-end + +::: zone pivot="windows-11" + +```json +{ + "pinnedList": [ + {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" }, + { "packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" }, + { "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" }, + { "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk" }, + { "packagedAppId": "Microsoft.WindowsTerminal_8wekyb3d8bbwe!App" }, + { "packagedAppId": "Microsoft.Paint_8wekyb3d8bbwe!App" }, + { "packagedAppId": "Microsoft.Windows.Photos_8wekyb3d8bbwe!App" }, + { "packagedAppId": "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" }, + { "packagedAppId": "Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" }, + { "packagedAppId": "Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI" }, + { "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"} + ] +} +``` + +::: zone-end diff --git a/windows/configuration/start/includes/force-start-size.md b/windows/configuration/start/includes/force-start-size.md new file mode 100644 index 00000000000..2f1dda14963 --- /dev/null +++ b/windows/configuration/start/includes/force-start-size.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Force Start size + +If you enable this policy and set it to Start menu or full screen Start, Start is set to that size and users can't change the size of Start in Settings. If you disable or don't configure this policy setting, Windows automatically selects the size based on hardware form factor and users can change the size of Start in Settings. + +| | Path | +|--|--| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[ForceStartSize](/windows/client-management/mdm/policy-csp-start#forcestartsize)

    `./Device/Vendor/MSFT/Policy/Config/Start/`[ForceStartSize](/windows/client-management/mdm/policy-csp-start#forcestartsize) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Force Start to be either full screen size or menu size** | diff --git a/windows/configuration/start/includes/hide-app-list.md b/windows/configuration/start/includes/hide-app-list.md new file mode 100644 index 00000000000..6185e19f8fb --- /dev/null +++ b/windows/configuration/start/includes/hide-app-list.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide app list + +If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu: + +- **Collapse** doesn't display the app list next to the pinned tiles in Start. An **All apps** button is displayed on Start to open the all apps list. This is equivalent to setting the **Show app list in Start** in Settings to **Off** +- **Collapse and disable setting** is the same as the collapse option and disable the **Show app list in Start menu** in Settings, so users can't turn it to On +- **Remove and disable setting** removes the all apps list from Start and disable the **Show app list in Start menu** in Settings, so users can't turn it to On +- If you disable or don't configure this setting, the all apps list is visible by default, and the user can change **Show app list in Start** in Settings + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideAppList](/windows/client-management/mdm/policy-csp-start#hideapplist)

    `./User/Vendor/MSFT/Policy/Config/Start/`[HideAppList](/windows/client-management/mdm/policy-csp-start#hideapplist) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove All Programs list from the Start menu**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove All Programs list from the Start menu** | diff --git a/windows/configuration/start/includes/hide-change-account-settings.md b/windows/configuration/start/includes/hide-change-account-settings.md new file mode 100644 index 00000000000..4e0e563b3e1 --- /dev/null +++ b/windows/configuration/start/includes/hide-change-account-settings.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 10/30/2023 +ms.topic: include +--- + +### Hide change account settings + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#hidechangeaccountsettings)| +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md new file mode 100644 index 00000000000..a914eb1c31b --- /dev/null +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 07/11/2024 +ms.topic: include +--- + +### Hide entry points for Fast User Switching + +With this policy setting you can prevent multiple users to sign in at the same time, using the Fast User Switching feature. + +- If enabled, only one user can sign in at a time. The Fast User Switching entry points are hidden from the sign-in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first +- If disabled or not configured, multiple users can sign in at the same time. The Fast User Switching entry points are available from the sign-in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Hide entry points for Fast User Switching** | + +To learn more, see [Fast User Switching](/windows/win32/shell/fast-user-switching). diff --git a/windows/configuration/start/includes/hide-frequently-used-apps.md b/windows/configuration/start/includes/hide-frequently-used-apps.md new file mode 100644 index 00000000000..65ff38d4971 --- /dev/null +++ b/windows/configuration/start/includes/hide-frequently-used-apps.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide frequently used apps + +If you enable this setting, the frequently used programs list is removed from the Start menu. + +If you disable this setting or don't configure it, the frequently used programs list remains on the simple Start menu. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#hidefrequentlyusedapps)

    `./User/Vendor/MSFT/Policy/Config/Start/`[HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#hidefrequentlyusedapps) | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove frequent programs from the Start Menu** | diff --git a/windows/configuration/start/includes/hide-hibernate.md b/windows/configuration/start/includes/hide-hibernate.md new file mode 100644 index 00000000000..e7b39cbb1d1 --- /dev/null +++ b/windows/configuration/start/includes/hide-hibernate.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Hibernate + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideHibernate](/windows/client-management/mdm/policy-csp-start#hidehibernate) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-lock.md b/windows/configuration/start/includes/hide-lock.md new file mode 100644 index 00000000000..52a8be809e1 --- /dev/null +++ b/windows/configuration/start/includes/hide-lock.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Lock + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideLock](/windows/client-management/mdm/policy-csp-start#hidelock) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-most-used-lists.md b/windows/configuration/start/includes/hide-most-used-lists.md new file mode 100644 index 00000000000..e6f6eb22314 --- /dev/null +++ b/windows/configuration/start/includes/hide-most-used-lists.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide most used lists + +If you enable this policy setting, you can configure Start menu to show or hide the list of user's most used apps, regardless of user settings: + +- Selecting **Show** forces the *Most used* list in the Start menu, and users can't change to hide it using the Settings app +- Selecting **Hide** disables the *Most used* list, and users can't change to show it using the Settings app +- Selecting **Not Configured**, allow users to turn on or off the display of **Most used** list using the Settings app. This is default behavior. + +> [!NOTE] +> +> This policy setting has the precedence over the *Hide frequently used apps* policy setting. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[ShowOrHideMostUsedApps](/windows/client-management/mdm/policy-csp-start#showorhidemostusedapps)

    `./User/Vendor/MSFT/Policy/Config/Start/`[ShowOrHideMostUsedApps](/windows/client-management/mdm/policy-csp-start#showorhidemostusedapps)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Show or hide "Most used" list from Start menu**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Show or hide "Most used" list from Start menu** | diff --git a/windows/configuration/start/includes/hide-power-button.md b/windows/configuration/start/includes/hide-power-button.md new file mode 100644 index 00000000000..2c5fb58ca97 --- /dev/null +++ b/windows/configuration/start/includes/hide-power-button.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Power button + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HidePowerButton](/windows/client-management/mdm/policy-csp-start#hidepowerbutton) | +| **GPO** | Not available. | + +hiderestart +hideshutdown +hidesleep \ No newline at end of file diff --git a/windows/configuration/start/includes/hide-recent-jumplists.md b/windows/configuration/start/includes/hide-recent-jumplists.md new file mode 100644 index 00000000000..6e9a6b15ac9 --- /dev/null +++ b/windows/configuration/start/includes/hide-recent-jumplists.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide recent jumplists + +Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents. + +- If you enable this setting: + - The system and apps don't create shortcuts to documents opened + - The system empties the Recent Items menu on the Start menu, and apps don't display shortcuts at the bottom of the File menu + - The Jump Lists in the Start Menu and Taskbar don't show lists of recently or frequently used files, folders, or websites +If you disable or don't configure this setting + - The system stores and displays shortcuts to recently and frequently used files, folders, and websites + +If you enable this setting but don't enable the "Remove Recent Items menu from Start Menu" setting, the Recent Items menu appears on the Start menu, but it's empty. If you enable this setting, but then later disable it or set it to *Not Configured*, the document shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists. This setting doesn't hide or prevent the user from pinning files, folders, or websites to the Jump Lists. This setting doesn't hide document shortcuts displayed in the Open dialog box. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)

    `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not keep history of recently opened documents**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not keep history of recently opened documents**| + diff --git a/windows/configuration/start/includes/hide-recently-added-apps.md b/windows/configuration/start/includes/hide-recently-added-apps.md new file mode 100644 index 00000000000..43c642e888d --- /dev/null +++ b/windows/configuration/start/includes/hide-recently-added-apps.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide recently added apps + +With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications. + +If you enable this policy, the Start menu doesn't display the **Recently added** list. The corresponding setting is also disabled in Settings. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#hiderecentlyaddedapps)

    `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#hiderecentlyaddedapps) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove "Recently added" list from Start Menu** | diff --git a/windows/configuration/start/includes/hide-recommended-personalized-sites.md b/windows/configuration/start/includes/hide-recommended-personalized-sites.md new file mode 100644 index 00000000000..899e17d18a5 --- /dev/null +++ b/windows/configuration/start/includes/hide-recommended-personalized-sites.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide recommended personalized sites + +Remove Personalized Website Recommendations from the Recommended section in the Start Menu. + +| | Path | +|--|--| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecommendedPersonalizedSites](/windows/client-management/mdm/policy-csp-start#hiderecommendedpersonalizedsites)

    `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecommendedPersonalizedSites](/windows/client-management/mdm/policy-csp-start#hiderecommendedpersonalizedsites) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove Personalized Website Recommendations from the Recommended section in the Start Menu**| \ No newline at end of file diff --git a/windows/configuration/start/includes/hide-recommended-section.md b/windows/configuration/start/includes/hide-recommended-section.md new file mode 100644 index 00000000000..0331a54e2e3 --- /dev/null +++ b/windows/configuration/start/includes/hide-recommended-section.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide recommended section + +This policy setting prevents the Start menu from displaying a list of recommended applications and files. If you enable this policy setting, the Start menu doesn't show the section containing a list of recommended files and apps. + +| | Path | +|--|--| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecommendedSection](/windows/client-management/mdm/policy-csp-start#hiderecommendedsection)

    `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecommendedSection](/windows/client-management/mdm/policy-csp-start#hiderecommendedsection) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove Recommended section from Start Menu** | diff --git a/windows/configuration/start/includes/hide-restart.md b/windows/configuration/start/includes/hide-restart.md new file mode 100644 index 00000000000..b62480ae4bc --- /dev/null +++ b/windows/configuration/start/includes/hide-restart.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Restart + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRestart](/windows/client-management/mdm/policy-csp-start#hiderestart) | +| **GPO** | Not available. | + +hideshutdown +hidesleep \ No newline at end of file diff --git a/windows/configuration/start/includes/hide-shut-down.md b/windows/configuration/start/includes/hide-shut-down.md new file mode 100644 index 00000000000..ff8957dcf00 --- /dev/null +++ b/windows/configuration/start/includes/hide-shut-down.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Shut down + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideShutDown](/windows/client-management/mdm/policy-csp-start#hideshutdown) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-signout.md b/windows/configuration/start/includes/hide-signout.md new file mode 100644 index 00000000000..9a6ef3d422d --- /dev/null +++ b/windows/configuration/start/includes/hide-signout.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Sign out + +With this policy setting you can remove the **Sign out** item from the Start menu and prevents users from restoring it: + +- If you enable this policy setting, the **Sign out** item doesn't appear in the Start menu +- If you disable or don't configure this policy setting, users can use the **Sign out** item in the Start menu + +> [!NOTE] +> +> This policy setting affects the Start menu only. It doesn't affect the **Sign out** item on the Windows Security dialog box that appears when you press CTRL+ALT+DEL, and it doesn't prevent users from using other methods to sign out. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideSignOut](/windows/client-management/mdm/policy-csp-start#hidesignout) | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove Logoff on the Start Menu** | diff --git a/windows/configuration/start/includes/hide-sleep.md b/windows/configuration/start/includes/hide-sleep.md new file mode 100644 index 00000000000..dd866139e34 --- /dev/null +++ b/windows/configuration/start/includes/hide-sleep.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Sleep + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideSleep](/windows/client-management/mdm/policy-csp-start#hidesleep) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-switch-user.md b/windows/configuration/start/includes/hide-switch-user.md new file mode 100644 index 00000000000..49188235e23 --- /dev/null +++ b/windows/configuration/start/includes/hide-switch-user.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Hide Switch user + +With this policy setting you can hide the **Switch user** option from the user tile in the start menu: + +- If enabled, the **Switch user** option is hidden +- If disabled or not configured, the **Switch user** option is available + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideSwitchAccount](/windows/client-management/mdm/policy-csp-start#hideswitchaccount) | +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/hide-user-tile.md b/windows/configuration/start/includes/hide-user-tile.md new file mode 100644 index 00000000000..18e35f9e1f3 --- /dev/null +++ b/windows/configuration/start/includes/hide-user-tile.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 10/30/2023 +ms.topic: include +--- + +### Hide User tile + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideUserTile](/windows/client-management/mdm/policy-csp-start#hideusertile)| +| **GPO** | Not available. | diff --git a/windows/configuration/start/includes/import-edge-assets.md b/windows/configuration/start/includes/import-edge-assets.md new file mode 100644 index 00000000000..c74bd471b51 --- /dev/null +++ b/windows/configuration/start/includes/import-edge-assets.md @@ -0,0 +1,13 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 10/30/2023 +ms.topic: include +--- + +### Import Edge assets + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[ImportEdgeAssets](/windows/client-management/mdm/policy-csp-start#importedgeassets)| +| **GPO** | Not available | diff --git a/windows/configuration/start/includes/prevent-changes-to-taskbar-and-start-menu-settings.md b/windows/configuration/start/includes/prevent-changes-to-taskbar-and-start-menu-settings.md new file mode 100644 index 00000000000..59b825838b2 --- /dev/null +++ b/windows/configuration/start/includes/prevent-changes-to-taskbar-and-start-menu-settings.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Prevent changes to Taskbar and Start Menu settings + +With this policy setting you can prevent changes to Taskbar and Start menu settings: + +- If you enable this policy setting, users can't change the Taskbar or Start properties +- If you disable or don't configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Prevent changes to Taskbar and Start Menu Settings**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Prevent changes to Taskbar and Start Menu Settings**| diff --git a/windows/configuration/start/includes/prevent-users-from-customizing-their-start.md b/windows/configuration/start/includes/prevent-users-from-customizing-their-start.md new file mode 100644 index 00000000000..eeeaae273eb --- /dev/null +++ b/windows/configuration/start/includes/prevent-users-from-customizing-their-start.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Prevent users from customizing their Start + +With this policy setting you can prevent users from changing their Start menu layout: + +- If you enable this setting, users can't pin/unpin a Start menu element, and rearrange elements +- If you disable or don't configure this setting, users can pin/unpin elements, and rearrange elements + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Prevent users from customizing their Start**| diff --git a/windows/configuration/start/includes/prevent-users-from-uninstalling-applications-from-start.md b/windows/configuration/start/includes/prevent-users-from-uninstalling-applications-from-start.md new file mode 100644 index 00000000000..53add991f59 --- /dev/null +++ b/windows/configuration/start/includes/prevent-users-from-uninstalling-applications-from-start.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Prevent users from uninstalling applications from Start + +If you enable this setting, users can't uninstall apps from Start. If you disable this setting or don't configure it, users can access the uninstall command from Start. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Prevent users from uninstalling applications from Start**| diff --git a/windows/configuration/start/includes/remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands.md b/windows/configuration/start/includes/remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands.md new file mode 100644 index 00000000000..324fe427b06 --- /dev/null +++ b/windows/configuration/start/includes/remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands + +With this policy setting, you can prevent users from performing the following commands from the Windows security screen, the sign in screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting doesn't prevent users from running Windows-based programs that perform these functions: + +- If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the sign in screen +- If you disable or don't configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and sign in screens is also available + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**

    **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | diff --git a/windows/configuration/start/includes/remove-common-program-groups.md b/windows/configuration/start/includes/remove-common-program-groups.md new file mode 100644 index 00000000000..3c0479536cc --- /dev/null +++ b/windows/configuration/start/includes/remove-common-program-groups.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Remove common program groups + +This policy setting removes items in the *All Users* profile from the Programs menu on the Start menu. By default, the Programs menu contains items from the *All Users* profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Remove common program groups from Start Menu** | diff --git a/windows/configuration/start/includes/show-run-as-different-user-command.md b/windows/configuration/start/includes/show-run-as-different-user-command.md new file mode 100644 index 00000000000..edd8c3f2c43 --- /dev/null +++ b/windows/configuration/start/includes/show-run-as-different-user-command.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Show *Run as different user* command + +With this policy setting, you can hide the *Run as different user* command on the Start application bar. If you enable it, users can access the **Run as different user** command from Start. If you disable or don't configure this setting, users can't access the **Run as different user** command from Start for any applications. + +> [!NOTE] +> This setting doesn't prevent users from using other methods, such as the SHIFT right-click menu on application's jumplists in the taskbar to issue the *Run as different user* command. + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Show "Run as different user" command on Start** | diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md new file mode 100644 index 00000000000..0627e33663b --- /dev/null +++ b/windows/configuration/start/index.md @@ -0,0 +1,87 @@ +--- +title: Configure the Start menu +description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most. +ms.topic: overview +ms.date: 04/10/2024 +zone_pivot_groups: windows-versions-11-10 +ms.collection: +- essentials-manage +appliesto: +--- + +# Configure the Start menu + +The Windows Start menu is a pivotal element in the Windows operating system, serving as a central hub for launching applications and managing tasks. For organizations, the ability to configure the Start menu's behavior through policy settings can be highly beneficial, particularly in environments where certain roles or functions necessitate tailored access to applications and tools. + +For instance, in kiosk settings, organizations can configure the Start menu to limit access to a single application or a specific set of applications, ensuring that the kiosk serves its intended purpose without allowing for unnecessary or potentially disruptive interactions. This is useful in public spaces or in scenarios where devices are intended for a single function, such as information stands or check-in counters. + +Frontline workers, who often operate in fast-paced and dynamic environments, can benefit from a Start menu that is configured to provide quick access to the tools and applications they need most. This streamlined approach can enhance productivity and reduce the time spent navigating through unnecessary options. + +In educational settings, students can benefit from a Start menu that is customized to provide access to educational tools and resources while restricting distractions. By configuring policy settings, educational institutions can create a focused and conducive learning environment. + +## Start structure + +The Start menu structure consists five main areas, which you can configure to meet your organization's needs. These areas are as follows: + +:::row::: +:::column span="2"::: +::: zone pivot="windows-10" +1. **Start layout**: contains the arrangement of tiles that link to applications, folders, websites, or files +1. **All apps**: contains an alphabetical list of all installed applications. The list can include dynamic sections, such as *Most used* and *Recently added* +1. **Account**: contains links to change user account settings, sign out, lock the device, or switch user +1. **Pinned folders**: contains a customizable list of folders for quick access +1. **Power**: contains links to power options, such as shutdown, restart, and sleep +::: zone-end +::: zone pivot="windows-11" +1. **Start layout**: the *Pinned* section contains the arrangement of pins that link to applications, folders, websites, or files. The *Recommended* section is designed to enhance user productivity by providing quick access to frequently used apps, documents, or websites +1. **All apps**: contains an alphabetical list of all installed applications. The list can include dynamic sections, such as *Most used* and *Recently added* +1. **Account**: contains links to change user account settings, sign out, lock the device, or switch user +1. **Pinned folders**: contains a customizable list of folders for quick access +1. **Power**: contains links to power options, such as shutdown, restart, and sleep +::: zone-end +:::column-end::: +:::column span="2"::: +::: zone pivot="windows-10" + :::image type="content" source="./images/windows-10-settings.png" alt-text="Sample start menu layout with its components highlighted." border="false" lightbox="./images/windows-10-settings.png"::: +::: zone-end +::: zone pivot="windows-11" + :::image type="content" source="./images/windows-11-settings.png" alt-text="Sample start menu layout with its components highlighted." border="false" lightbox="./images/windows-11-settings.png"::: +::: zone-end + :::column-end::: +:::row-end::: + +## Configuration options + +There are several options to configure the Windows Start menu. + +If you need to configure a device for a single user, you can pin/unpin applications to Start and rearrange them. Start can be further customized from Settings. Go to **Settings** > **Personalization** > **[Start](ms-settings:personalization-start)**. + +For advanced customizations and when you need to configure multiple devices, you can use one of the following options: + +- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md#csps-in-windows-configuration-designer), which are used at deployment time or for unmanaged devices. To configure Start, use the [Start Policy CSP][WIN-1] +- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and not managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor + +> [!NOTE] +> While many of the Start menu policy settings can be configured using both CSP and GPO, there are some settings that are only available using the Start Policy CSP. To learn about the available policy settings to configure the Start menu via CSP and GPO, see [Start menu policy settings](policy-settings.md). + +::: zone pivot="windows-10" +The configuration of the Start layout requires the use of an XML file that specifies the layout. To learn more about how to create and apply an XML file to configure the Start layout, see [Customize the Start layout](layout.md). +::: zone-end + +::: zone pivot="windows-11" +The configuration of the Start layout requires the use of a JSON file that specifies the layout. To learn more about how to create and apply a JSON file to configure the Start layout, see [Customize the Start layout](layout.md). + +> [!IMPORTANT] +> The JSON file can be applied to devices using the [Start policy CSP][WIN-1] only. It's not possible to apply the JSON file using group policy. +::: zone-end + +## Next steps + +In the next sections, you can learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO): + +- [Customize the Start layout](layout.md) +- [Start menu policy settings](policy-settings.md) + + + +[WIN-1]: /windows/client-management/mdm/policy-csp-start \ No newline at end of file diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md new file mode 100644 index 00000000000..30baa389a17 --- /dev/null +++ b/windows/configuration/start/layout.md @@ -0,0 +1,651 @@ +--- +title: Customize the Start layout +description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices. +ms.topic: how-to +ms.date: 04/10/2024 +zone_pivot_groups: windows-versions-11-10 +appliesto: +--- + +# Customize the Start layout + +Implementing a customized Start layout across your organization's devices empowers administrators with direct control over the Start menu configuration. With this capability, you can specify a tailored set of pinned applications, arranged according to preference. Utilize this feature to strategically pin desired apps, eliminate default pinned apps, and organize the application display to align with operational requirements. + +This article describes how to customize the Start layout, export its configuration, and deploy the customization to other devices. + +> [!NOTE] +> If you are looking for OEM information, see the article [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). + +## Customization process + +To customize the Windows Start layout and deploy its configuration to other devices, follow these steps: + +1. Configure the Start layout to meet your requirements from a reference device +1. Export the Start layout configuration to a configuration file +1. Deploy the configuration file using one of the available options + +> [!TIP] +> While you can create your own configuration file, it's easier and faster to export the layout from an existing device. + +### Customize the Start layout on a reference device + +To prepare a Start layout for export, customize the Start layout on a reference device. To prepare a reference device: + +1. Set up a device on which to customize the Start layout, which should have the operating system that is installed on the users' devices +1. Install all apps and services that the Start layout should display +1. Create a new user account that you use to customize the Start layout + +To customize Start: + +::: zone pivot="windows-10" + +1. Sign in to the reference device with the user account that you created +1. Customize the Start layout as you want users to see it by using the following techniques: + + - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app and select **Pin to Start** + To view all apps, select **All apps**. Right-click any app, and pin or unpin it from Start + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start** + - **Drag existing apps** on Start to reorder or group them + - **Resize tiles**. To resize tiles, right-click the tile and then select **Resize** + - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group + +> [!IMPORTANT] +> If the Start layout includes tiles for apps that are not installed on the target device, the tiles for those apps will be blank. The blank tiles persist until the next time the user signs in, at which time the blank tiles are removed. + +::: zone-end + +::: zone pivot="windows-11" + +1. Sign in to the reference device with the user account that you created +1. Customize the **Pinned** section of the Start layout as you want users to see it by using the following techniques: + + - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app and select **Pin to Start** + To view all apps, select **All apps**. Right-click any app, and pin or unpin it from Start + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start** + - **Drag existing apps** on Start to reorder them + +> [!IMPORTANT] +> If the Start layout includes pins for apps that aren't installed on the target device, the pins for those apps aren't created until the apps are installed. + +::: zone-end + +### Export the Start layout configuration + +Once the Start layout is configured to meet your requirements, use the Windows PowerShell [Export-StartLayout][PS-1] cmdlet to export the existing layout to a configuration file. + +::: zone pivot="windows-10" +The exported customization consists of an XML file containing a list of tiles that define the Start layout. + +> [!NOTE] +> You can find the default Start layout template in `%LOCALAPPDATA%\Microsoft\windows\Shell\DefaultLayouts.xml`. + +To export the Start layout to an XML file: + +1. While signed in with the same account that you used to customize Start, create a folder to save the `.xml` file. For example, create the `C:\Layouts` folder +1. Open Windows PowerShell +1. Run the following cmdlet: + + ```powershell + Export-StartLayout -UseDesktopApplicationID -Path "C:\Layouts\LayoutModification.xml" + ``` + +1. (Optional) Edit the XML file to add [a taskbar configuration](../taskbar/configure.md) or to make any modifications to the Start layout + +::: zone-end + +::: zone pivot="windows-11" + +The exported customization consists of a JSON file containing a list of pins that define the Start layout. + +To export the Start layout to a JSON file: + +1. While signed in with the same account that you used to customize Start, create a folder to save the `.json` file. For example, create the `C:\Layouts` folder +1. Open Windows PowerShell +1. Run the following cmdlet: + + ```powershell + Export-StartLayout -Path "C:\Layouts\LayoutModification.json" + ``` + +::: zone-end + +### Start layout example + +Here you can find an example of Start layout that you can use as a reference: + +[!INCLUDE [example-start-layout](includes/example-start-layout.md)] + +### Change the configuration file + +::: zone pivot="windows-10" + +> [!CAUTION] +> When you make changes to the exported layout, be aware that the XML file must adhere to an [XML schema definition (XSD)](xsd.md). +> +> The XML file requires the following order for tags directly under the `LayoutModificationTemplate` node: +> +> 1. `LayoutOptions` +> 1. `DefaultLayoutOverride` +> 1. `RequiredStartGroupsCollection` +> 1. `AppendDownloadOfficeTile` - OR - `AppendOfficeSuite` (only one Office option can be used at a time) +> 1. `AppendOfficeSuiteChoice` +> 1. `TopMFUApps` +> 1. `CustomTaskbarLayoutCollection` +> 1. `InkWorkspaceTopApps` +> 1. `StartLayoutCollection` +> +> Comments are not supported in the `LayoutModification.xml` file. + +> [!NOTE] +> `RequiredStartGroupsCollection` and `AppendGroup` syntax only apply when the `Import-StartLayout` method is used for building and deploying Windows images. + +You can edit the XML file to make any modifications to the Start layout. For example, you can include `` to include the Taskbar customization. + +If the Start layout that you export contains tiles for desktop apps or URL links, `Export-StartLayout` uses `DesktopApplicationLinkPath` in the resulting file. Use a text or XML editor to change `DesktopApplicationLinkPath` to `DesktopApplicationID`. + +For scripts and application tile pins to work correctly, follow these rules: + +- Executable files and scripts should be listed in `%ProgramFiles%` or wherever the installer of the app places them +- Shortcuts that pin to Start should be placed in `%ProgramData%\Microsoft\Windows\Start Menu\Programs` +- If you place executable files or scripts in the `%ProgramData%\Microsoft\Windows\Start Menu\Programs` folder, they don't pin to Start + +> [!NOTE] +> All devices that you apply the Start layout to, must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout. + +After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout: + +- When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start +- When a partial Start layout is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups + +### Supported elements and attributes + +| Element | Description | +|--|--| +| `LayoutModificationTemplate` | Use to describe the changes to the default Start layout | +| [LayoutOptions](#layoutoptions) | Use to specify:
    - Whether to use full screen Start on the desktop
    - The number of tile columns in the Start menu | +| `RequiredStartGroupsCollection` | Use to contain collection of `RequiredStartGroups` | +| [RequiredStartGroups](#requiredstartgroups) | Use to contain the `AppendGroup` tags, which represent groups that can be appended to the default Start layout | +| [AppendGroup](#appendgroup) | Use to specify the tiles that need to be appended to the default Start layout | +| [start:Tile](#specify-start-tiles) | Use to specify a UWP app | +| `start:Folder`| Use to specify a folder of icons; can include [Tile](#starttile), [SecondaryTile](#startsecondarytile), and [DesktopApplicationTile](#startdesktopapplicationtile) | +| [start:DesktopApplicationTile](#startdesktopapplicationtile) | Use to specify any of the following:
    - A Windows desktop application with a known AppUserModelID
    - An application in a known folder with a link in a legacy Start Menu folder
    - A Windows desktop application link in a legacy Start Menu folder
    - A Web link tile with an associated `.url` file that is in a legacy Start Menu folder | +| [start:SecondaryTile](#startsecondarytile) | Use to pin a Web link through a Microsoft Edge secondary tile | +| [AppendOfficeSuite](#appendofficesuite) | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

    Don't use this tag with `AppendDownloadOfficeTile` | +| [AppendDownloadOfficeTile](#appenddownloadofficetile) | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with `AppendOfficeSuite` | + +#### LayoutOptions + +New devices running Windows 10 for desktop editions default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: + +- Boot to tablet mode can be set on or off +- Set full screen Start on desktop to on or off + To do this, add the `LayoutOptions` element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false +- Specify the number of columns in the Start menu to 1 or 2 + To do this, add the `LayoutOptions` element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2 + +The following example shows how to use the `LayoutOptions` element to specify full screen Start on the desktop and to use one column in the Start menu: + +```xml + +``` + +#### RequiredStartGroups + +The `RequiredStartGroups` tag contains `AppendGroup` tags that represent groups that you can append to the default Start layout. + +The groups have the following constraints: + +- Two groups that are six columns wide, or equivalent to the width of three medium tiles +- Two medium-sized tile rows in height. Windows ignores any tiles that are pinned beyond the second row +- No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x three columns x two rows) + +>[!IMPORTANT] +>You can add a maximum of two `AppendGroup` tags per `RequiredStartGroups` tag. + +You can also assign regions to the append groups in the `RequiredStartGroups` tag's using the optional `Region` attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the `Region` attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe (`|`) delimiter as shown in the following example: + +```XML + +``` + +- If the country/region setting for the Windows device matches a `RequiredStartGroups`, then the tiles laid out within the `RequiredStartGroups` is applied to Start +- If you specify a region-agnostic `RequiredStartGroups` (or one without the optional Region attribute), then the region-agnostic `RequiredStartGroups` is applied to Start + +#### AppendGroup + +`AppendGroup` tags specify a group of tiles to append to Start. There's a maximum of two `AppendGroup` tags allowed per `RequiredStartGroups` tag. + +For Windows 10 for desktop editions, AppendGroup tags contain `start:Tile`, `start:DesktopApplicationTile`, or `start:SecondaryTile` tags. + +You can specify any number of tiles in an `AppendGroup`, but you can't specify a tile with a `Row` attribute greater than one. The Start layout doesn't support overlapping tiles. + +#### Specify Start tiles + +To pin tiles to Start, partners must use the right tile depending on what you want to pin. + +#### Tile size and coordinates + +All tile types require a size (`Size`) and coordinates (`Row` and `Column`) attributes, regardless of the tile type that you use when prepinning items to Start. + +The following table describes the attributes that you must use to specify the size and location for the tile. + +| Attribute | Description | +| --- | --- | +| `Size` | Determines how large the tile is.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | +| `Row` | Specifies the row where the tile appears. | +| `Column` | Specifies the column where the tile appears. | + +For example, a tile with `Size="2x2"`, `Row="2"`, and `Column="2"` results in a tile located at (2,2) where (0,0) is the top-left corner of a group. + +#### start:Tile + +You can use the `start:Tile` tag to pin a UWP app to Start. You must set the `AppUserModelID` attribute to the application user model ID (AUMID) of the corresponding app. + +#### start:DesktopApplicationTile + +You can use the `start:DesktopApplicationTile` tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: + +- Use a path to a shortcut link (.lnk file) to a Windows desktop application. + + >[!NOTE] + >Use `DesktopApplicationID` rather than `DesktopApplicationLinkPath` if the application is installed after the user's first sign-in. + + To pin a Windows desktop application through this method, you must first add the `.lnk` file in the specified location when the device first boots. + + The following example shows how to pin the Command Prompt: + + ```XML + + ``` + + You must set the `DesktopApplicationLinkPath` attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. + + If you're pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the `.lnk` file in a legacy Start Menu directory before first boot. For example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. + +- Use the AUMID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. + +Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md). + + The following example shows how to pin the File Explorer Windows desktop application: + + ```XML + + ``` + +You can also use the `start:DesktopApplicationTile` tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. + +To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. + +The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: + +```XML + +``` + +>[!NOTE] +>`Export-StartLayout` uses `DesktopApplicationLinkPath` for the .url shortcut. You must change `DesktopApplicationLinkPath` to `DesktopApplicationID` and provide the URL. + +#### start:SecondaryTile + +You can use the `start:SecondaryTile` tag to pin a web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the `start:DesktopApplicationTile` tag). + +The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: + +```XML + +``` + +The following table describes the other attributes that you can use with the `start:SecondaryTile` tag in addition to `Size`, `Row`, and `Column`. + +| Attribute | Required/optional | Description | +| --- | --- | --- | +| `AppUserModelID` | Required | Must point to Microsoft Edge. | +| `TileID` | Required | Must uniquely identify your Web site tile. | +| `Arguments` | Required | Must contain the URL of your Web site. | +| `DisplayName` | Required | Must specify the text that you want users to see. | +| `Square150x150LogoUri` | Required | Specifies the logo to use on the 2x2 tile. | +| `Wide310x150LogoUri` | Optional | Specifies the logo to use on the 4x2 tile. | +| `ShowNameOnSquare150x150Logo` | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | +| `ShowNameOnWide310x150Logo` | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | +| `BackgroundColor` | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, `#FF112233`) or specify `transparent`. | +| `ForegroundText` | Optional | Specifies the color of the foreground text. Set the value to either `light` or `dark`. | + +Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. + +#### AppendOfficeSuite + +You can use the `AppendOfficeSuite` tag to add the in-box installed Office suite of apps to Start. + +>[!NOTE] +>The OEM must have installed Office for this tag to work. + +The following example shows how to add the `AppendOfficeSuite` tag to your `LayoutModification.xml` file to append the Office suite to Start: + +```XML + + + +``` + +#### AppendOfficeSuiteChoice + +You have two options in this tag: + +- `` +- `` + +Use `Choice=DesktopBridgeSubscription` on devices that have Office 365 preinstalled. This sets the heading of the Office suite of tiles to `Office 365`, to highlight the Office 365 apps that you've made available on the device. + +Use `Choice=DesktopBridge` on devices shipping with [perpetual licenses for Office](/archive/blogs/ausoemteam/choosing-the-right-office-version-for-your-customers). This sets the heading of the Office suite of tiles to **Create**. + +For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles). + +#### AppendDownloadOfficeTile + +You can use the `AppendDownloadOfficeTile` tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group. + +>[!NOTE] +>The OEM must have installed the Office trial installer for this tag to work. + +The following example shows how to add the `AppendDownloadOfficeTile` tag to your LayoutModification.xml file: + +```XML + + + +``` + +#### Configure a partial Start layout + +:::row::: +:::column span="2"::: + +A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. + +:::column-end::: +:::column span="2"::: + +:::image type="content" source="images/windows-10-partial-layout.png" alt-text="Screenshot of the Windows 10 Start menu with partial layout." lightbox="images/windows-10-partial-layout.png"::: + +:::column-end::: +:::row-end::: + +When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. + +If you apply a partial Start layout to a device with an existing Start layout applied, groups that were added previously are removed, and the groups in the new layout are added. + +> [!NOTE] +> If you remove the policy setting, the groups remain on the devices but become unlocked. + +To configure a partial Start screen layout, modify the `` element as follows: + +```xml + +``` + +::: zone-end + +::: zone pivot="windows-11" + +You can edit the JSON file to make any modifications to the **Pinned** section of the Start layout. For example, you can change the order of the pinned elements, or add new apps. + +1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad +1. The `pinnedList` section includes all the pins that are applied to the Start layout + +You can add more apps to the section using the following keys: + +| Key | Description | +|--|--| +| `packagedAppID` | Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID. | +| `desktopAppID` | Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the `desktopAppLink` instead. | +| `desktopAppLink` | Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. | + +::: zone-end + +Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md). + +### Deploy the Start layout configuration + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +::: zone pivot="windows-10" + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune-10) + +To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: + +| Category | Setting name | Value | +|--|--|--| +| **Start** | Start Layout | Content of the XML file| +| **Start** | Start Layout (User) | Content of the XML file| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: + +| Setting | +|--| +| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)
    - **String:**
    - **Value:** content of the XML file | +| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)
    - **Data type:**
    - **Value:** content of the XML file | + +[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-10) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `Policies/Start/StartLayout` +- **Value:** content of the XML file + +> [!NOTE] +> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*. + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +### Use Windows Provisioning multivariant support + +The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](../provisioning-packages/provisioning-multivariant.md). + +The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. + +For example, if you want to ensure that there's a specific layout for a certain condition, you can: + +1. Create a specific layout customization file and then name it LayoutCustomization1.xml +1. Include the file as part of your provisioning package +1. Create your multivariant target and reference the XML file within the target condition in the main customization XML file + +The following example shows what the overall customization file might look like with multivariant support for Start: + +```XML + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + + + + + + + + + + + + 1 + 1 + 1 + + + 1 + + + + + + + + + c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML + + 1 + + + + + + +``` + +When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. + +You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a `Language` condition, you can create a Start layout that has its own localized group. + +#### [:::image type="icon" source="../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use one of the following settings: + +| Group policy path | Group policy setting | Value | +| - | - | - | +|**Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file | +|**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file | + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. + +--- + +>[!NOTE] +>You can apply a Start layout to a mounted Windows image, with the PowerShell [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. +>Don't include XML Prologs like \ in the Start layout XML file. + +::: zone-end + +::: zone pivot="windows-11" + +> [!IMPORTANT] +> The JSON file can be applied to devices using the [Start policy CSP][WIN-1] only. It's not possible to apply the JSON file using group policy. + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune-11) + +To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: + +| Category | Setting name | Value | +|--|--|--| +| **Start** | Configure Start Pins | Content of the JSON file| +| **Start** | Configure Start Pins (User) | Content of the JSON file| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: + +| Setting | +|--| +| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)
    - **String:**
    - **Value:** content of the JSON file | +| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)
    - **Data type:**
    - **Value:** content of the JSON file | + +[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-11) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `Policies/Start/ConfigureStartPins` +- **Value:** content of the JSON file + +> [!NOTE] +> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the JSON file, usually with a function called *join lines*. + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +--- + +::: zone-end + +## User experience + +:::row::: +:::column span="2"::: + +After the settings are applied, sign in to the device. The Start layout that you configured is applied to the Start menu. + +::: zone pivot="windows-10" + +When a full Start layout is applied with policy settings, users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't change the Start layout. When you apply a partial Start layout, the content of the specified tile groups can't be changed, but users can move the groups, and can create and customize their own groups. + +::: zone-end + +::: zone pivot="windows-11" + +When you configure the Start layout with policy settings, you overwrite the entire layout. Users can change the order of the pinned elements, pin, or unpin items. When a user signs in again, the Start layout specified in the policy setting is reapplied, without retaining any user changes. + +::: zone-end + +:::column-end::: +:::column span="2"::: +::: zone pivot="windows-10" + :::image type="content" source="images/windows-10.png" alt-text="Screenshot of the Windows 10 Start menu." border="false" lightbox="images/windows-10.png"::: +::: zone-end + +::: zone pivot="windows-11" + :::image type="content" source="images/windows-11.png" alt-text="Screenshot of the Windows 11 Start menu." border="false" lightbox="images/windows-11.png"::: +::: zone-end + +:::column-end::: +:::row-end::: + +## Next steps + +- To learn more about the policy settings available to configure the Start menu using the Configuration Service Provider (CSP) and Group Policy (GPO), see [Start menu policy settings](policy-settings.md). +- To learn how to configure the taskbar, see [Configure the Windows taskbar](../taskbar/index.md). + + + +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[PS-1]: /powershell/module/startlayout/export-startlayout +[WIN-1]: /windows/client-management/mdm/policy-csp-start diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md new file mode 100644 index 00000000000..5d0b4b6bf0e --- /dev/null +++ b/windows/configuration/start/policy-settings.md @@ -0,0 +1,232 @@ +--- +title: Start policy settings +description: Learn about the policy settings to configure the Windows Start menu. +ms.topic: reference +ms.date: 07/10/2024 +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Start menu policy settings + +This reference article outlines the policy settings available for customizing the Start menu experience, using Configuration Service Provider (CSP) or group policy (GPO). For information about how to configure these settings, see [Configure the Start menu](index.md). + +The settings are categorized and presented in alphabetical order to facilitate navigation and configuration. + +:::row::: +:::column span="2"::: + +1. **Start layout**: settings to control the Start menu appearance and its behavior +1. **All apps options**: settings to control the All apps list +1. **Account options**: settings to control the options exposed when selecting the user account icon +1. **Pinned folders**: settings to control the folders pinned for quick access +1. **Power options**: settings to control the options exposed when selecting the power button + +:::column-end::: +:::column span="2"::: +::: zone pivot="windows-10" + :::image type="content" source="./images/windows-10-settings.png" alt-text="Sample start menu layout with its components highlighted." border="false" lightbox="./images/windows-10-settings.png"::: +::: zone-end + +::: zone pivot="windows-11" + :::image type="content" source="./images/windows-11-settings.png" alt-text="Sample start menu layout with its components highlighted." border="false" lightbox="./images/windows-11-settings.png"::: +::: zone-end + + :::column-end::: +:::row-end::: + +Select one of the tabs to see the list of available settings: + +#### [:::image type="icon" source="../images/icons/start.svg"::: **Layout**](#tab/start) + +::: zone pivot="windows-11" +|Policy name| CSP | GPO | +|-|-|-| +|[Configure Start pins](#configure-start-pins)|✅|❌| +|[Disable context menus](#disable-context-menus)|✅|✅| +|[Disable search](#disable-search)|✅|✅| +|[Don't use the search-based method when resolving shell shortcuts](#dont-use-the-search-based-method-when-resolving-shell-shortcuts)|❌|✅| +|[Don't use the tracking-based method when resolving shell shortcuts](#dont-use-the-tracking-based-method-when-resolving-shell-shortcuts)|❌|✅| +|[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅| +|[Prevent users from customizing their Start](#prevent-users-from-customizing-their-start)|❌|✅| +|[Prevent users from uninstalling applications from Start](#prevent-users-from-uninstalling-applications-from-start)|❌|✅| +|[Remove common program groups](#remove-common-program-groups)|❌|✅| +|[Show **Run as different user** command](#show-run-as-different-user-command)|❌|✅| + +### Recommended section + +|Policy name| CSP | GPO | +|-|-|-| +|[Clear history of recently opened documents on exit](#clear-history-of-recently-opened-documents-on-exit)|❌|✅| +|[Hide recently added apps](#hide-recently-added-apps)|✅|✅| +|[Hide recent jumplists](#hide-recent-jumplists)|✅|✅| +|[Hide recommended personalized sites](#hide-recommended-personalized-sites)|✅|✅| +|[Hide recommended section](#hide-recommended-section)|✅|✅| + +::: zone-end + +::: zone pivot="windows-10" +|Policy name| CSP | GPO | +|-|-|-| +|[Clear history of recently opened documents on exit](#clear-history-of-recently-opened-documents-on-exit)|❌|✅| +|[Clear tile notifications during log on](#clear-tile-notifications-during-log-on)|❌|✅| +|[Configure Start layout](#configure-start-layout)|✅|✅| +|[Disable context menus](#disable-context-menus)|✅|✅| +|[Don't use the search-based method when resolving shell shortcuts](#dont-use-the-search-based-method-when-resolving-shell-shortcuts)|❌|✅| +|[Don't use the tracking-based method when resolving shell shortcuts](#dont-use-the-tracking-based-method-when-resolving-shell-shortcuts)|❌|✅| +|[Force Start size](#force-start-size)|✅|✅| +|[Hide recently added apps](#hide-recently-added-apps)|✅|✅| +|[Import Edge assets](#import-edge-assets)|✅|❌| +|[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅| +|[Prevent users from customizing their Start](#prevent-users-from-customizing-their-start)|❌|✅| +|[Prevent users from uninstalling applications from Start](#prevent-users-from-uninstalling-applications-from-start)|❌|✅| +|[Remove common program groups](#remove-common-program-groups)|❌|✅| +|[Show **Run as different user** command](#show-run-as-different-user-command)|❌|✅| +::: zone-end + +[!INCLUDE [clear-history-of-recently-opened-documents-on-exit](includes/clear-history-of-recently-opened-documents-on-exit.md)] +::: zone pivot="windows-10" +[!INCLUDE [clear-tile-notifications-during-log-on](includes/clear-tile-notifications-during-log-on.md)] +[!INCLUDE [configure-start-layout](includes/configure-start-layout.md)] +::: zone-end +::: zone pivot="windows-11" +[!INCLUDE [configure-start-pins](includes/configure-start-pins.md)] +::: zone-end +[!INCLUDE [disable-context-menus](includes/disable-context-menus.md)] +::: zone pivot="windows-11" +[!INCLUDE [disable-search](includes/disable-search.md)] +::: zone-end +[!INCLUDE [do-not-use-the-search-based-method-when-resolving-shell-shortcuts](includes/do-not-use-the-search-based-method-when-resolving-shell-shortcuts.md)] +[!INCLUDE [do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts](includes/do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts.md)] +::: zone pivot="windows-10" +[!INCLUDE [force-start-size](includes/force-start-size.md)] +::: zone-end +[!INCLUDE [hide-recently-added-apps](includes/hide-recently-added-apps.md)] +[!INCLUDE [hide-recent-jumplists](includes/hide-recent-jumplists.md)] +::: zone pivot="windows-11" +[!INCLUDE [hide-recommended-personalized-sites](includes/hide-recommended-personalized-sites.md)] +[!INCLUDE [hide-recommended-section](includes/hide-recommended-section.md)] +::: zone-end +::: zone pivot="windows-10" +[!INCLUDE [import-edge-assets](includes/import-edge-assets.md)] +::: zone-end +[!INCLUDE [prevent-changes-to-taskbar-and-start-menu-settings](includes/prevent-changes-to-taskbar-and-start-menu-settings.md)] +[!INCLUDE [prevent-users-from-customizing-their-start](includes/prevent-users-from-customizing-their-start.md)] +[!INCLUDE [prevent-users-from-uninstalling-applications-from-start](includes/prevent-users-from-uninstalling-applications-from-start.md)] +[!INCLUDE [remove-common-program-groups](includes/remove-common-program-groups.md)] +[!INCLUDE [show-run-as-different-user-command](includes/show-run-as-different-user-command.md)] + +#### [:::image type="icon" source="../images/icons/allapps.svg"::: **All apps**](#tab/allapps) + +|Policy name| CSP | GPO | +|-|-|-| +|[Clear the recent programs list for new users](#clear-the-recent-programs-list-for-new-users)|❌|✅| +|[Hide app list](#hide-app-list)|✅|✅| +|[Hide frequently used apps](#hide-frequently-used-apps)|✅|✅| +|[Hide most used lists](#hide-most-used-lists)|✅|✅| + +[!INCLUDE [clear-the-recent-programs-list-for-new-users](includes/clear-the-recent-programs-list-for-new-users.md)] +[!INCLUDE [hide-app-list](includes/hide-app-list.md)] +[!INCLUDE [hide-frequently-used-apps](includes/hide-frequently-used-apps.md)] +[!INCLUDE [hide-most-used-lists](includes/hide-most-used-lists.md)] + +#### [:::image type="icon" source="../images/icons/user.svg"::: **Account options**](#tab/user) + +::: zone pivot="windows-11" +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| +|[Hide **Sign out**](#hide-sign-out)|✅|✅| +|[Hide **Switch user**](#hide-switch-user)|✅|❌| +|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅| +|[Hide user tile](#hide-user-tile)|✅|❌| +::: zone-end + +::: zone pivot="windows-10" +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| +|[Hide **Lock**](#hide-lock)|✅|❌| +|[Hide **Sign out**](#hide-sign-out)|✅|✅| +|[Hide **Switch user**](#hide-switch-user)|✅|❌| +|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅| +|[Hide user tile](#hide-user-tile)|✅|❌| +::: zone-end + +[!INCLUDE [hide-change-account-settings](includes/hide-change-account-settings.md)] + +::: zone pivot="windows-10" +[!INCLUDE [hide-lock](includes/hide-lock.md)] +::: zone-end + +[!INCLUDE [hide-signout](includes/hide-signout.md)] +[!INCLUDE [hide-switch-user](includes/hide-switch-user.md)] +[!INCLUDE [hide-lock](includes/hide-entry-points-for-fast-user-switching.md)] +[!INCLUDE [hide-user-tile](includes/hide-user-tile.md)] + +#### [:::image type="icon" source="../images/icons/folder.svg"::: **Pinned folders**](#tab/folders) + +|Policy name| CSP | GPO | +|-|-|-| +|[Allow pinned folder Documents](#allow-pinned-folder-documents)|✅|❌| +|[Allow pinned folder Downloads](#allow-pinned-folder-downloads)|✅|❌| +|[Allow pinned folder File Explorer](#allow-pinned-folder-file-explorer)|✅|❌| +|[Allow pinned folder Home Group](#allow-pinned-folder-home-group)|✅|❌| +|[Allow pinned folder Music](#allow-pinned-folder-music)|✅|❌| +|[Allow pinned folder Network](#allow-pinned-folder-network)|✅|❌| +|[Allow pinned folder Personal Folder](#allow-pinned-folder-personal-folder)|✅|❌| +|[Allow pinned folder Pictures](#allow-pinned-folder-pictures)|✅|❌| +|[Allow pinned folder Settings](#allow-pinned-folder-settings)|✅|❌| +|[Allow pinned folder Videos](#allow-pinned-folder-videos)|✅|❌| + +[!INCLUDE [allow-pinned-folder-documents](includes/allow-pinned-folder-documents.md)] +[!INCLUDE [allow-pinned-folder-downloads](includes/allow-pinned-folder-downloads.md)] +[!INCLUDE [allow-pinned-folder-file-explorer](includes/allow-pinned-folder-file-explorer.md)] +[!INCLUDE [allow-pinned-folder-home-group](includes/allow-pinned-folder-home-group.md)] +[!INCLUDE [allow-pinned-folder-music](includes/allow-pinned-folder-music.md)] +[!INCLUDE [allow-pinned-folder-network](includes/allow-pinned-folder-network.md)] +[!INCLUDE [allow-pinned-folder-personal-folder](includes/allow-pinned-folder-personal-folder.md)] +[!INCLUDE [allow-pinned-folder-pictures](includes/allow-pinned-folder-pictures.md)] +[!INCLUDE [allow-pinned-folder-settings](includes/allow-pinned-folder-settings.md)] +[!INCLUDE [allow-pinned-folder-videos](includes/allow-pinned-folder-videos.md)] + +#### [:::image type="icon" source="../images/icons/power.svg"::: **Power options**](#tab/power) + + +::: zone pivot="windows-11" +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Hibernate** ](#hide-hibernate)|✅|❌| +|[Hide **Lock**](#hide-lock)|✅|❌| +|[Hide **Power** button](#hide-power-button)|✅|❌| +|[Hide **Restart**](#hide-restart)|✅|❌| +|[Hide **Shut down**](#hide-shut-down)|✅|❌| +|[Hide **Sleep**](#hide-sleep)|✅|❌| +|[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅| +::: zone-end + +::: zone pivot="windows-10" + +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Hibernate** ](#hide-hibernate)|✅|❌| +|[Hide **Power** button](#hide-power-button)|✅|❌| +|[Hide **Restart**](#hide-restart)|✅|❌| +|[Hide **Shut down**](#hide-shut-down)|✅|❌| +|[Hide **Sleep**](#hide-sleep)|✅|❌| +|[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅| + +::: zone-end + +[!INCLUDE [hide-hibernate](includes/hide-hibernate.md)] +::: zone pivot="windows-11" +[!INCLUDE [hide-lock](includes/hide-lock.md)] +::: zone-end +[!INCLUDE [hide-power-button](includes/hide-power-button.md)] +[!INCLUDE [hide-restart](includes/hide-restart.md)] +[!INCLUDE [hide-shut-down](includes/hide-shut-down.md)] +[!INCLUDE [hide-sleep](includes/hide-sleep.md)] + +[!INCLUDE [remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands](includes/remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands.md)] + +--- diff --git a/windows/configuration/start/start-layout-xml-desktop.md b/windows/configuration/start/start-layout-xml-desktop.md deleted file mode 100644 index 4e979045326..00000000000 --- a/windows/configuration/start/start-layout-xml-desktop.md +++ /dev/null @@ -1,527 +0,0 @@ ---- -title: Start layout XML for desktop editions of Windows 10 -description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. -ms.topic: article -ms.date: 10/02/2018 -appliesto: -- ✅ Windows 10 ---- - -# Start layout XML for desktop editions of Windows 10 (reference) - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -On Windows 10 for desktop editions, the customized Start works by: - -- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. -- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: - - Two groups that are six columns wide, or equivalent to the width of three medium tiles. - - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. - - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows). - ->[!NOTE] ->To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). - -## LayoutModification XML - -IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. - -### Required order - -The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node: - -1. LayoutOptions -1. DefaultLayoutOverride -1. RequiredStartGroupsCollection -1. AppendDownloadOfficeTile - OR - AppendOfficeSuite (only one Office option can be used at a time) -1. AppendOfficeSuiteChoice -1. TopMFUApps -1. CustomTaskbarLayoutCollection -1. InkWorkspaceTopApps -1. StartLayoutCollection - -Comments are not supported in the `LayoutModification.xml` file. - -### Supported elements and attributes - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: -> ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -> [!NOTE] -> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout | -| [LayoutOptions](#layoutoptions)

    Parent:
    LayoutModificationTemplate | StartTileGroupsColumnCount
    FullScreenStart | Use to specify:
    - Whether to use full screen Start on the desktop
    - The number of tile columns in the Start menu | -| RequiredStartGroupsCollection

    Parent:
    LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups | -| [RequiredStartGroups](#requiredstartgroups)

    Parent:
    RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | -| [AppendGroup](#appendgroup)

    Parent:
    RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | -| [start:Tile](#specify-start-tiles)

    Parent:
    AppendGroup | AppUserModelID
    Size
    Row
    Column | Use to specify any of the following:
    - A Universal Windows app
    - A Windows 8 or Windows 8.1 app

    Note that AppUserModelID is case-sensitive. | -| start:Folder

    Parent:
    start:Group | Name (in Windows 10, version 1809 and later only)
    Size
    Row
    Column
    LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). | -| start:DesktopApplicationTile

    Parent:
    AppendGroup | DesktopApplicationID
    DesktopApplicationLinkPath
    Size
    Row
    Column | Use to specify any of the following:
    - A Windows desktop application with a known AppUserModelID
    - An application in a known folder with a link in a legacy Start Menu folder
    - A Windows desktop application link in a legacy Start Menu folder
    - A Web link tile with an associated `.url` file that is in a legacy Start Menu folder | -| start:SecondaryTile

    Parent:
    AppendGroup | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. | -| TopMFUApps

    Parent:
    LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.

    **Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | -| Tile

    Parent:
    TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID.

    **Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | -| DesktopApplicationTile

    Parent:
    TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.

    **Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | -| AppendOfficeSuite

    Parent:
    LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

    Don't use this tag with AppendDownloadOfficeTile. | -| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | - -### LayoutOptions - -New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: - -- Boot to tablet mode can be set on or off -- Set full screen Start on desktop to on or off - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false -- Specify the number of columns in the Start menu to 1 or 2 - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2 - -The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu: - -```XML - - - -``` - -For devices being upgraded to Windows 10 for desktop editions: - -- Devices being upgraded from Windows 7 will default to a Start menu with one column. -- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with two columns. - -### RequiredStartGroups - -The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. - ->[!IMPORTANT] ->For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. - -You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: - -```XML - -``` - -If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. - -If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute), then the region-agnostic **RequiredStartGroups** is applied to Start. - -### AppendGroup - -**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. - -For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. - -You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 1. The Start layout doesn't support overlapping tiles. - -### Specify Start tiles - -To pin tiles to Start, partners must use the right tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - - -#### start:Tile - -You can use the **start:Tile** tag to pin any of the following apps to Start: - -- A Universal Windows app -- A Windows 8 app or Windows 8.1 app - -To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - ->[!IMPORTANT] ->**AppUserModelID** (AUMID) is case-sensitive. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - - ```XML - - ``` - - -#### start:DesktopApplicationTile - -You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: - -- Use a path to a shortcut link (.lnk file) to a Windows desktop application. - - >[!NOTE] - >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in. - - To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. - - The following example shows how to pin the Command Prompt: - - ```XML - - ``` - - - You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. - - If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". - -- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. - - You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID. - - To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - - The following example shows how to pin the File Explorer Windows desktop application: - - ```XML - - ``` - -You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. - -To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. - -The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: - -```XML - -``` - ->[!NOTE] ->In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL. - - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag). - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. Note that AppUserModelID is case-sensitive. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - -Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. - -#### TopMFUApps - ->[!NOTE] ->Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. - -You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. - -You can use this tag to add: - -- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID. -- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. - -The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: - - ```XML - - - - - - - -``` - -#### AppendOfficeSuite - -You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. - ->[!NOTE] ->The OEM must have installed Office for this tag to work. - -The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: - -```XML - - - -``` - -#### AppendOfficeSuiteChoice - -This tag is added in Windows 10, version 1801. You have two options in this tag: - -- `` -- `` - -Use `Choice=DesktopBridgeSubscription` on devices running Windows 10, version 1803, that have Office 365 preinstalled. This will set the heading of the Office suite of tiles to **Office 365**, to highlight the Office 365 apps that you've made available on the device. - -Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](/archive/blogs/ausoemteam/choosing-the-right-office-version-for-your-customers). This will set the heading of the Office suite of tiles to **Create**. - -For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles). - -#### AppendDownloadOfficeTile - -You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group. - ->[!NOTE] ->The OEM must have installed the Office trial installer for this tag to work. - -The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: - -```XML - - - -``` - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: - -```XML - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](../provisioning-packages/provisioning-multivariant.md). - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain condition, you can: - -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -1. Include the file as part of your provisioning package. -1. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - 1 - - 1 - - 1 - - - - - - 1 - - - - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. - -## Add the LayoutModification.xml file to the device - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting. -1. In the middle pane, click **Browse** to open File Explorer. -1. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. - -1. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - ->[!NOTE] ->There is currently no way to add the .url and .lnk files through Windows ICD. - -Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. diff --git a/windows/configuration/start/start-secondary-tiles.md b/windows/configuration/start/start-secondary-tiles.md deleted file mode 100644 index 60449adfba1..00000000000 --- a/windows/configuration/start/start-secondary-tiles.md +++ /dev/null @@ -1,215 +0,0 @@ ---- -title: Add image for secondary Microsoft Edge tiles -description: Add app tiles on Windows 10 that's a secondary tile. -ms.topic: article -ms.date: 12/31/2017 ---- - -# Add image for secondary Microsoft Edge tiles - -App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include: - -- Weather updates for a specific city in a weather app -- A summary of upcoming events in a calendar app -- Status and updates from an important contact in a social app -- A website in Microsoft Edge - -In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo. - -Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: - -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) - -In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: - -![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) - -In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. - -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) - -**Example of secondary tiles in XML generated by Export-StartLayout** - -```xml - -``` - -## Export Start layout and assets - -1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer. -1. Open Windows PowerShell as an administrator and enter the following command: - - ```powershell - Export-StartLayout -path .xml - ``` - - In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). - - Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. - -1. If you'd like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references. - - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` - - - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. - -1. In Windows PowerShell, enter the following command: - - - ```powershell - Export-StartLayoutEdgeAssets assets.xml - ``` - -## Configure policy settings - -You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you're including the images for secondary tiles, you must configure another setting to import the Edge assets. - -### Using MDM - -In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. - -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Configuration profiles** > **Create profile**. -1. Enter the following properties: - - - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Device restrictions**. - -1. Select **Create**. -1. In **Basics**, enter the following properties: - - - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. - - **Description**: Enter a description for the policy. This setting is optional, but recommended. - -1. Select **Next**. - -1. In **Configuration settings**, select **Start**. Configure the following properties: - - - **Start menu layout**: Browse to, and select your Start layout XML file. - - **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file. - - There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start) - -1. Select **Next**. -1. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). - - Select **Next**. - -1. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). - - Select **Next**. - -1. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. - -### Using a provisioning package - -#### Prepare the Start layout and Edge assets XML files - -The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. - -1. Copy the contents of layout.xml into an online tool that escapes characters. - -1. Copy the contents of assets.xml into an online tool that escapes characters. - -1. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project. - -#### Create a provisioning package that contains a customized Start layout - - - -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -1. Choose **Advanced provisioning**. - -1. Name your project, and select **Next**. - -1. Choose **All Windows desktop editions** and select **Next**. - -1. On **New project**, select **Finish**. The workspace for your package opens. - -1. Expand **Runtime settings** > **Policies** > **Start**, and select **StartLayout**. - - >[!TIP] - >If **Start** is not listed, check the type of settings you selected in step 1. You must create the project using settings for **All Windows desktop editions**. - -1. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step. - -1. In the **Available customizations** pane, select **ImportEdgeAssets**. - -1. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step. - -1. Save your project and close Windows Configuration Designer. - -1. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) - -1. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) - -1. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). - -1. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). - -1. Save and close the customizations.xml file. - -1. Open Windows Configuration Designer and open your project. - -1. On the **File** menu, select **Save.** - -1. On the **Export** menu, select **Provisioning package**. - -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - -1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - - Optionally, you can select **Browse** to change the default output location. - -1. Select **Next**. - -1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, select **Cancel**. It cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To change the path, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. - -1. Copy the provisioning package to the target device. -1. Double-click the ppkg file and allow it to install. diff --git a/windows/configuration/start/supported-csp-start-menu-layout-windows.md b/windows/configuration/start/supported-csp-start-menu-layout-windows.md deleted file mode 100644 index fcc05cbe558..00000000000 --- a/windows/configuration/start/supported-csp-start-menu-layout-windows.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs -description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -ms.date: 12/31/2017 -ms.topic: article -appliesto: -- ✅ Windows 11 ---- - -# Supported configuration service provider (CSP) policies for Windows 11 Start menu - -The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices. - -This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). - -For information on customizing the Start menu layout using policy, see [Customize the Start menu layout on Windows 11](customize-start-menu-layout-windows-11.md). - -## Existing Windows CSP policies that Windows 11 supports - -- [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) -- [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) -- [Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) -- [Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) -- [Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) -- [Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) -- [Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) -- [Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) -- [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) -- [Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) -- [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) -- [Start/HideHibernate](/windows/client-management/mdm/policy-csp-start#start-hidehibernate) -- [Start/HideLock](/windows/client-management/mdm/policy-csp-start#start-hidelock) -- [Start/HidePowerButton](/windows/client-management/mdm/policy-csp-start#start-hidepowerbutton) -- [Start/HideRestart](/windows/client-management/mdm/policy-csp-start#start-hiderestart) -- [Start/HideShutDown](/windows/client-management/mdm/policy-csp-start#start-hideshutdown) -- [Start/HideSignOut](/windows/client-management/mdm/policy-csp-start#start-hidesignout) -- [Start/HideSleep](/windows/client-management/mdm/policy-csp-start#start-hidesleep) -- [Start/HideSwitchAccount](/windows/client-management/mdm/policy-csp-start#start-hideswitchaccount) -- [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile) -- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) -- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) -- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 1. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored. - - The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu. - -**The following policies are supported starting with Windows 11, version 22H2:** - -- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) -- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) -## Existing CSP policies that Windows 11 doesn't support - -- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` - -- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps) - - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu` - - -> [!NOTE] -> The following two policies are supported starting in Windows 11, version 22H2 - -- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) - - Group policy: - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` - -- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) - - Group policy: - - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` diff --git a/windows/configuration/start/toc.yml b/windows/configuration/start/toc.yml index 649a6796539..13f6bda4707 100644 --- a/windows/configuration/start/toc.yml +++ b/windows/configuration/start/toc.yml @@ -1,23 +1,12 @@ items: -- name: Customizethe Start menu in Windows 11 - href: customize-start-menu-layout-windows-11.md -- name: Supported Start menu CSPs - href: supported-csp-start-menu-layout-windows.md -- name: Start layout and taskbar - href: windows-10-start-layout-options-and-policies.md -- name: Use XML - items: - - name: Customize and export Start layout - href: customize-and-export-start-layout.md - - name: Add image for secondary Microsoft Edge tiles - href: start-secondary-tiles.md - - name: Start layout XML for Windows 10 desktop editions (reference) - href: start-layout-xml-desktop.md -- name: Use group policy - href: customize-windows-10-start-screens-by-using-group-policy.md -- name: Use provisioning packages - href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md -- name: Use mobile device management (MDM) - href: customize-windows-10-start-screens-by-using-mobile-device-management.md -- name: Troubleshoot Start menu errors +- name: Overview + href: index.md + displayName: Configure the Start menu +- name: Customize the Start layout + href: layout.md +- name: Policy settings + href: policy-settings.md +- name: XML schema definition (XSD) + href: xsd.md +- name: Troubleshoot Start menu errors 🔗 href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors diff --git a/windows/configuration/start/windows-10-start-layout-options-and-policies.md b/windows/configuration/start/windows-10-start-layout-options-and-policies.md deleted file mode 100644 index 6bc1b415c52..00000000000 --- a/windows/configuration/start/windows-10-start-layout-options-and-policies.md +++ /dev/null @@ -1,205 +0,0 @@ ---- -title: Customize and manage the Windows 10 Start and taskbar layout -description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. -ms.topic: article -ms.date: 08/05/2021 ---- - -# Customize the Start menu and taskbar layout on Windows 10 and later devices - -> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) -> -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). - -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. - ->[!NOTE] ->Support for applying a customized taskbar using MDM is added in Windows 10, version 1701. - -As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded. - ->[!NOTE] ->For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). -> ->Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) - -## Use XML - -On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file. - -For more information, see [Customize and export Start layout](customize-and-export-start-layout.md). - -For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file. - -For more information, see [Configure Windows 10 taskbar](../taskbar/configure-windows-10-taskbar.md). - -## Use group policy - -Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure. - -For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md). - -## Use provisioning packages - -Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](../provisioning-packages/provisioning-packages.md). - -Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). - -## Use a mobile device management (MDM) solution - -Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices. - -If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). - -For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md). - -## Start menu policy settings - -![start layout sections.](images/startannotated.png) - -The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](../wcd/wcd-policies.md#start). - -- **User tile** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu` - - **Local setting**: None - - **MDM policy**: - - Start/HideUserTile - - Start/HideSwitchAccount - - Start/HideSignOut - - Start/HideLock - - Start/HideChangeAccountSettings - -- **Most used** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu` - - **Local setting**: Settings > Personalization > Start > Show most used apps - - **MDM policy**: Start/HideFrequentlyUsedApps - -- **Suggestions, Dynamically inserted app tile** - - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences` - - This policy also enables or disables notifications for: - - - A user's Microsoft account - - App tiles that Microsoft dynamically adds to the default Start menu - - - **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start - - **MDM policy**: Allow Windows Consumer Features - -- **Recently added** - - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu` - - This policy applies to: - - - Windows 10 version 1803 and later - - - **Local setting**: Settings > Personalization > Start > Show recently added apps - - **MDM policy**: Start/HideRecentlyAddedApps - -- **Pinned folders** - - **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start - - **MDM policy**: AllowPinnedFolder - -- **Power** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands` - - **Local setting**: None - - **MDM policy**: - - Start/HidePowerButton - - Start/HideHibernate - - Start/HideRestart - - Start/HideShutDown - - Start/HideSleep - -- **Start layout** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen` - - When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups. - - **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar. - - - **Local setting**: None - - **MDM policy**: - - Start layout - - ImportEdgeAssets - -- **Jump lists** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - - **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar - - **MDM policy**: Start/HideRecentJumplists - -- **Start size** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size` - - **Local setting**: Settings > Personalization > Start > Use Start full screen - - **MDM policy**: Force Start size - -- **App list** - - **Local setting**: Settings > Personalization > Start > Show app list in Start menu - - **MDM policy**: Start/HideAppList - -- **All settings** - - **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings` - - **Local setting**: None - -- **Taskbar** - - **Local setting**: None - - **MDM policy**: Start/NoPinningToTaskbar - -> [!NOTE] -> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles. - -## Taskbar options - -Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region. - -There are three app categories that could be pinned to a taskbar: - -- Apps pinned by the user -- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store -- Apps pinned by your organization, such as in an unattended Windows setup - - In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](../taskbar/configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). - -The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed: - -- Windows default apps to the left (blue circle) -- Apps pinned by the user in the center (orange triangle) -- Apps that you pin using XML to the right (green square) - -![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) - -If you apply the taskbar configuration to a clean install or an update, users can still: - -- Pin more apps -- Change the order of pinned apps -- Unpin any app - -> [!TIP] -> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar. - -### Taskbar configuration applied to clean install of Windows 10 - -In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar: - -- Apps you specifically add -- Any default apps you don't remove - -After the layout is applied, users can pin more apps to the taskbar. - -### Taskbar configuration applied to Windows 10 upgrades - -When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup. - -On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior: - -- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right. -- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned. -- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right. -- New apps specified in updated layout file are pinned to right of user's pinned apps. - -[Learn how to configure Windows 10 taskbar](../taskbar/configure-windows-10-taskbar.md). - -## Start layout configuration errors - -If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: - -- **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. -- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. diff --git a/windows/configuration/start/xsd.md b/windows/configuration/start/xsd.md new file mode 100644 index 00000000000..714f0aa70f2 --- /dev/null +++ b/windows/configuration/start/xsd.md @@ -0,0 +1,432 @@ +--- +title: Start XML Schema Definition (XSD) +description: Start XSD reference article. +ms.topic: reference +ms.date: 04/10/2024 +appliesto: +- ✅ Windows 10 +--- + +# Start XML Schema Definition (XSD) + +This reference article contains the Start XML schema definition (XSD). + +## StartLayout + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## LayoutModification + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## FullDefaultLayout + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/store/find-aumid.md b/windows/configuration/store/find-aumid.md new file mode 100644 index 00000000000..2e19c3355ea --- /dev/null +++ b/windows/configuration/store/find-aumid.md @@ -0,0 +1,114 @@ +--- +title: Find the Application User Model ID of an installed app +description: Learn how to find the Application User Model ID (AUMID) of the applications installed on a Windows device. +ms.topic: how-to +ms.date: 02/06/2024 +--- + +# Find the Application User Model ID of an installed app + +Windows uses Application User Model Id (AUMID, also known as AppId) values to identify and differentiate applications for switching, launching, telemetry, and other functions.\ +AUMID are unique to each installed application, and independent of the installation path or the application's display name. + +To configure Assigned Access, which is the Configuration Service Provider (CSP) used to create a kiosk or dedicated device, you must use the AUMID of the apps installed on a device. This article describes how to find the AUMID of an installed application. + +## How to find the AUMID + +You can find an application's AUMID by using Windows PowerShell, File Explorer, or the registry. + +Follow the instructions to retrieve AUMIDs, selecting the tool of your choice. + +# [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) + +To get the names and AUMIDs for all apps that appear in the Start menu, open a Windows PowerShell command prompt and enter the following command: + +```powershell +Get-StartApps +``` + +>[!NOTE] +>Applications that are not listed in the Start menu will not appear in the output of the **Get-StartApps** cmdlet. + +To get the names and AUMIDs for Microsoft Store apps installed for the current user, open a Windows PowerShell command prompt and enter the following commands: + +```powershell +$installedapps = Get-AppxPackage + +$aumidList = @() +foreach ($app in $installedapps) +{ + foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) + { + $aumidList += $app.packagefamilyname + "!" + $id + } +} + +$aumidList +``` + +> [!NOTE] +> You can add the `-user ` or the `-allusers` parameters to the `Get-AppxPackage` cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. + +### Example to get AUMIDs of the installed apps for the specified user + +The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. + +### Example to get the AUMID of any application in the Start menu + +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. + +```powershell +function Get-AppAUMID { +param ( +[string]$AppName +) +$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +if ($AppName){ + $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} + if ($Result){ + Return $Result + } + else {"Unable to locate {0}" -f $AppName} +} +else { + $Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}} + Return $Result +} +} +``` + +The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. + +```powershell +# Get the AUMID for OneDrive +Get-AppAUMID -AppName OneDrive + +# Get the AUMID for Microsoft Word +Get-AppAUMID -AppName Word + +# List all apps and their AUMID in the Start menu +Get-AppAUMID +``` + +# [:::image type="icon" source="../images/icons/explorer.svg"::: **Explorer**](#tab/explorer) + +To get the names and AUMIDs for all apps installed for the current user, perform the following steps: + +1. Select **Start** > **Run**, enter `shell:Appsfolder`, and select **OK** +1. A File Explorer window opens. Press Alt+V > **Choose details** +1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to c +1. Change the **View** setting from **Tiles** to **Details** + +:::image type="content" source="images/aumid-file-explorer.png" alt-text="Screenshot of the File Explorer showing the AUMID details." border="false"::: + +# [:::image type="icon" source="../images/icons/registry.svg"::: **Registry**](#tab/registry) + +Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. + +At a command prompt, type the following command: + +```cmd +reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ" +``` + +--- diff --git a/windows/configuration/store/images/aumid-file-explorer.png b/windows/configuration/store/images/aumid-file-explorer.png new file mode 100644 index 00000000000..0361cd9bfec Binary files /dev/null and b/windows/configuration/store/images/aumid-file-explorer.png differ diff --git a/windows/configuration/store/images/store-blocked.png b/windows/configuration/store/images/store-blocked.png new file mode 100644 index 00000000000..c45c074f34c Binary files /dev/null and b/windows/configuration/store/images/store-blocked.png differ diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md new file mode 100644 index 00000000000..09c92aea0fb --- /dev/null +++ b/windows/configuration/store/index.md @@ -0,0 +1,66 @@ +--- +title: Configure access to the Microsoft Store app +description: Learn how to configure access to the Microsoft Store app. +ms.topic: how-to +ms.date: 03/13/2024 +--- + +# Configure access to the Microsoft Store app + +Microsoft Store is a digital distribution platform that provides a way for users to install applications on Windows devices. For some organizations, business policies require blocking access to Microsoft Store. + +This article describes how to configure access to the Microsoft Store app in your organization. + +## Prevent access to the Microsoft Store app + +You can use configuration service provider (CSP) or group policy (GPO) settings to configure access to the Microsoft Store app. The CSP configuration is available to Windows Enterprise and Education editions only. + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Administrative Templates > Windows Components > Store** | Turn off the Store application| **Enabled**| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1]. + +| Setting | +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2`
    - **Data type:** string
    - **Value:** ``| + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Store** | Turn off the Store application| **Enabled**| + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +--- + +## User experience + +When you turn off the Microsoft Store application, users get the following message when they open it: + +:::image type="content" source="images/store-blocked.png" alt-text="Screenshot of the Microsoft Store app blocked access." border="false"::: + +## Considerations + +Here are some considerations when you prevent access to the Microsoft Store app: + +- Microsoft Store applications keep updating automatically, by default +- Users might still be able to install applications using Windows Package Manager (winget), or other methods, if they don't need to acquire the package from Microsoft Store +- Devices managed by Microsoft Intune can still install applications sourced from Microsoft Store, even if you block access to the Microsoft Store app. To learn more, see [Add Microsoft Store apps to Microsoft Intune][INT-2] + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-admx-windowsstore +[INT-1]: /mem/intune/configuration/settings-catalog +[INT-2]: /mem/intune/apps/store-apps-microsoft diff --git a/windows/configuration/store/stop-employees-from-using-microsoft-store.md b/windows/configuration/store/stop-employees-from-using-microsoft-store.md deleted file mode 100644 index a70a6b5922c..00000000000 --- a/windows/configuration/store/stop-employees-from-using-microsoft-store.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: Configure access to Microsoft Store -description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. -ms.topic: conceptual -ms.date: 11/29/2022 ---- - -# Configure access to Microsoft Store - -IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. - -> [!IMPORTANT] -> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. - -## Options to configure access to Microsoft Store - -You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition. - -## Block Microsoft Store using AppLocker - -Applies to: Windows 10 Enterprise, Windows 10 Education - -AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers. - -For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps). - -**To block Microsoft Store using AppLocker:** - -1. Enter **`secpol`** in the search bar to find and start AppLocker. - -1. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**. - -1. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**. - -1. On **Before You Begin**, select **Next**. - -1. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**. - -1. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**. - -1. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**. - - [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules. - -1. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. - -## Block Microsoft Store using configuration service provider - -Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education - -If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs): - -- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) - -For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business). - -For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). - -> [!IMPORTANT] -> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store. - -## Block Microsoft Store using Group Policy - -Applies to: Windows 10 Enterprise, Windows 10 Education - -> [!NOTE] -> Not supported on Windows 10 Pro, starting with version 151. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). - -You can also use Group Policy to manage access to Microsoft Store. - -**To block Microsoft Store using Group Policy:** - -1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor. - -1. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**. - -1. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**. - -1. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**. - -> [!IMPORTANT] -> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store. - -## Show private store only using Group Policy - -Applies to Windows 10 Enterprise, Windows 10 Education - -If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. - -**To show private store only in Microsoft Store app:** - -1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. - -1. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**. - -1. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**. - - The **Only display the private store within the Microsoft Store app** policy settings will open. - -1. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**. - -## Related articles - -[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store) - -[Manage access to private store](/microsoft-store/manage-access-to-private-store) diff --git a/windows/configuration/store/toc.yml b/windows/configuration/store/toc.yml new file mode 100644 index 00000000000..1be495bbbe9 --- /dev/null +++ b/windows/configuration/store/toc.yml @@ -0,0 +1,5 @@ +items: + - name: Configure access to Microsoft Store + href: index.md + - name: Find the AUMID of an installed app + href: find-aumid.md \ No newline at end of file diff --git a/windows/configuration/taskbar/configure-windows-10-taskbar.md b/windows/configuration/taskbar/configure-windows-10-taskbar.md deleted file mode 100644 index b9ac41035dd..00000000000 --- a/windows/configuration/taskbar/configure-windows-10-taskbar.md +++ /dev/null @@ -1,310 +0,0 @@ ---- -title: Configure Windows taskbar -description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -ms.topic: how-to -ms.date: 08/18/2023 -appliesto: -- ✅ Windows 10 ---- - -# Configure Windows 10 taskbar - -Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. - -> [!NOTE] -> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. - -You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). - -If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar. - -The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user. - -> [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). - -![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) - -## Configure taskbar (general) - -To configure the taskbar: - -1. Create the XML file - - If you're also [customizing the Start layout](../start/customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. - - If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file -1. Edit and save the XML file. You can use [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar - - Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. - - Use `` and [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps - - Use `` and Desktop Application Link Path to pin desktop applications -1. Apply the layout modification XML file to devices using [Group Policy](../start/customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](../start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). - ->[!IMPORTANT] ->If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. -> ->If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](../start/customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. - -### Tips for finding AUMID and Desktop Application Link Path - -In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. - -The easiest way to find this data for an application is to: - -1. Pin the application to the Start menu on a reference or testing PC -1. Open Windows PowerShell and run the `Export-StartLayout` cmdlet -1. Open the generated XML file -1. Look for an entry corresponding to the app you pinned -1. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath` - -### Sample taskbar configuration XML file - -```xml - - - - - - - - - - - -``` - -### Sample taskbar configuration added to Start layout XML file - -```xml - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Keep default apps and add your own - -The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. - -```xml - - - - - - - - - - - - -``` - -**Before:** - -![default apps pinned to taskbar.](images/taskbar-default.png) - -**After:** - - ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) - -## Remove default apps and add your own - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. - -If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. - -```xml - - - - - - - - - - - - -``` - -**Before:** - -![Taskbar with default apps.](images/taskbar-default.png) - -**After:** - -![Taskbar with default apps removed.](images/taskbar-default-removed.png) - -## Remove default apps - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. - -```xml - - - - - - - - - - -``` - -## Configure taskbar by country or region - -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: - -![taskbar for US and UK locale.](images/taskbar-region-usuk.png) - -The resulting taskbar for computers in Germany or France: - -![taskbar for DE and FR locale.](images/taskbar-region-defr.png) - -The resulting taskbar for computers in any other country region: - -![taskbar for all other regions.](images/taskbar-region-other.png) - -> [!NOTE] -> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) - -## Layout Modification Template schema definition - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` diff --git a/windows/configuration/taskbar/customize-taskbar-windows-11.md b/windows/configuration/taskbar/customize-taskbar-windows-11.md deleted file mode 100644 index 6af8ef100f1..00000000000 --- a/windows/configuration/taskbar/customize-taskbar-windows-11.md +++ /dev/null @@ -1,234 +0,0 @@ ---- -title: Configure and customize Windows 11 taskbar -description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. -ms.date: 08/17/2023 -ms.topic: article -ms.collection: - - tier1 -appliesto: -- ✅ Windows 11 ---- - -# Customize the Taskbar on Windows 11 - -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). - -Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps. - -For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar. - -To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. - -This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons). - -## Before you begin - -- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app). -- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar. -- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed. -- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). -- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. - - In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - - - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) - -## Create the XML file - -1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt: - - ```xml - - - - - - - - - - - - ``` - -1. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps: - - - ``: Select this option for UWP apps. Add the [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) of the UWP app. - - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app. - - You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar. - - For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). - -1. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`: - - - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned. - - ``: Unpins the default apps. Only the apps you add are pinned. - - If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned. - -1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region. - - In the following XML example, two regions are added: `US|UK` and `DE|FR`: - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` - - The taskbar applies when: - - - If the `` node has a country or region, then the apps are pinned on devices configured for that country or region. - - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied. - -1. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices. - -## Use Group Policy or MDM to create and deploy a taskbar policy - -Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune. - -This section shows you how to deploy the XML both ways. - -### Use Group Policy to deploy your XML file - -Use the following steps to add your XML file to a group policy, and apply the policy: - -1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies. -1. Go to one of the following policies: - - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` - -1. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled. - - Your policy looks like the following policy: - - :::image type="content" source="images/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices."::: - - The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices. - -1. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes. - - For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/). - -### Create a Microsoft Intune policy to deploy your XML file - -MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. - -Use the following steps to create an Intune policy that deploys your taskbar XML file: - -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. Select **Devices** > **Configuration profiles** > **Create profile**. - -1. Enter the following properties: - - - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. - -1. In **Basics**, enter the following properties: - - - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**. - - **Description**: Enter a description for the profile. This setting is optional, and recommended. - -1. Select **Next**. - -1. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file. - -1. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure). - -1. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time. - - For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). - -> [!NOTE] -> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. - -## Get the AUMID and Desktop app link path - -In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet: - -1. On an existing Windows 11 device, pin the app to the Start menu. -1. Create a folder to save an output file. For example, create the `C:\Layouts` folder. -1. Open the Windows PowerShell app, and run the following cmdlet: - - ```powershell - Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml" - ``` - -1. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file. - -## Pin order for all apps - -On a taskbar, the following apps are typically pinned: - -- Apps pinned by the user -- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store. -- Apps pinned by your organization, such as in an unattended Windows setup. - - In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). - -Apps are pinned in the following order: - -1. Windows default apps are pinned first. -1. User-pinned apps are pinned after the Windows default apps. -1. XML-pinned apps are pinned after the user-pinned apps. - -If the OS is configured to use a right-to-left language, then the taskbar order is reversed. - -## OS install and upgrade - -- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar: - - - Apps you specifically add - - Any default apps you don't remove - - After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps. - -- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior: - - - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps. - - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned. - - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps. - - New apps in updated layout file are pinned after the user's pinned apps. - - After the layout is applied, users can pin more apps, change the order, and unpin apps. diff --git a/windows/configuration/taskbar/images/pin-add-10.png b/windows/configuration/taskbar/images/pin-add-10.png new file mode 100644 index 00000000000..398028ee4ba Binary files /dev/null and b/windows/configuration/taskbar/images/pin-add-10.png differ diff --git a/windows/configuration/taskbar/images/pin-add-11.png b/windows/configuration/taskbar/images/pin-add-11.png new file mode 100644 index 00000000000..867f27af436 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-add-11.png differ diff --git a/windows/configuration/taskbar/images/pin-layout-10.png b/windows/configuration/taskbar/images/pin-layout-10.png new file mode 100644 index 00000000000..463655d37e2 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-layout-10.png differ diff --git a/windows/configuration/taskbar/images/pin-layout-11.png b/windows/configuration/taskbar/images/pin-layout-11.png new file mode 100644 index 00000000000..5df7a8bfda8 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-layout-11.png differ diff --git a/windows/configuration/taskbar/images/pin-remove-10.png b/windows/configuration/taskbar/images/pin-remove-10.png new file mode 100644 index 00000000000..7d8671887b5 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-remove-10.png differ diff --git a/windows/configuration/taskbar/images/pin-remove-11.png b/windows/configuration/taskbar/images/pin-remove-11.png new file mode 100644 index 00000000000..736d4b2d111 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-remove-11.png differ diff --git a/windows/configuration/taskbar/images/pin-replace-10.png b/windows/configuration/taskbar/images/pin-replace-10.png new file mode 100644 index 00000000000..31b1bfd98a5 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-replace-10.png differ diff --git a/windows/configuration/taskbar/images/pin-replace-11.png b/windows/configuration/taskbar/images/pin-replace-11.png new file mode 100644 index 00000000000..f758d145be1 Binary files /dev/null and b/windows/configuration/taskbar/images/pin-replace-11.png differ diff --git a/windows/configuration/taskbar/images/start-layout-group-policy.png b/windows/configuration/taskbar/images/start-layout-group-policy.png deleted file mode 100644 index 99252bd1394..00000000000 Binary files a/windows/configuration/taskbar/images/start-layout-group-policy.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-10.png b/windows/configuration/taskbar/images/taskbar-10.png new file mode 100644 index 00000000000..d99c1dd15db Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-10.png differ diff --git a/windows/configuration/taskbar/images/taskbar-11.png b/windows/configuration/taskbar/images/taskbar-11.png new file mode 100644 index 00000000000..0e24fb26799 Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-11.png differ diff --git a/windows/configuration/taskbar/images/taskbar-default-plus.png b/windows/configuration/taskbar/images/taskbar-default-plus.png deleted file mode 100644 index 8afcebac095..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-default-plus.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-default-removed.png b/windows/configuration/taskbar/images/taskbar-default-removed.png deleted file mode 100644 index b3ff924e9f9..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-default-removed.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-default.png b/windows/configuration/taskbar/images/taskbar-default.png deleted file mode 100644 index 41c6c722580..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-default.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-generic.png b/windows/configuration/taskbar/images/taskbar-generic.png deleted file mode 100644 index 6d47a6795a9..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-generic.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-region-defr.png b/windows/configuration/taskbar/images/taskbar-region-defr.png deleted file mode 100644 index 6d707b16f41..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-region-defr.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-region-other.png b/windows/configuration/taskbar/images/taskbar-region-other.png deleted file mode 100644 index fab367ef7a5..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-region-other.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-region-usuk.png b/windows/configuration/taskbar/images/taskbar-region-usuk.png deleted file mode 100644 index 6bba65ee813..00000000000 Binary files a/windows/configuration/taskbar/images/taskbar-region-usuk.png and /dev/null differ diff --git a/windows/configuration/taskbar/images/taskbar-sections-10.png b/windows/configuration/taskbar/images/taskbar-sections-10.png new file mode 100644 index 00000000000..eec49c3d24f Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-sections-10.png differ diff --git a/windows/configuration/taskbar/images/taskbar-sections-11.png b/windows/configuration/taskbar/images/taskbar-sections-11.png new file mode 100644 index 00000000000..68e6ce31c5d Binary files /dev/null and b/windows/configuration/taskbar/images/taskbar-sections-11.png differ diff --git a/windows/configuration/taskbar/includes/allow-widgets.md b/windows/configuration/taskbar/includes/allow-widgets.md new file mode 100644 index 00000000000..7033aec8258 --- /dev/null +++ b/windows/configuration/taskbar/includes/allow-widgets.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Allow widgets + +This policy specifies whether the widgets feature is allowed on the device. + +- Widgets are turned on by default, unless you change this in your settings +- If you turn on this policy setting, widgets are enabled automatically, unless you turn it off in your settings + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/`[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) | +| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Widgets** | diff --git a/windows/configuration/taskbar/includes/configure-start-layout.md b/windows/configuration/taskbar/includes/configure-start-layout.md new file mode 100644 index 00000000000..ce75e3d6dfb --- /dev/null +++ b/windows/configuration/taskbar/includes/configure-start-layout.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/10/2024 +ms.topic: include +--- + +### Configure Start layout + + + +This policy setting lets you specify the applications pinned to the taskbar. The layout that you specify has an XML format. + +| | Path | +|--|--| +| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout)
    - `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) | +| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
    - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | + +For more information, see [Customize the taskbar pinned applications](../pinned-apps.md). diff --git a/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md b/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md new file mode 100644 index 00000000000..5e009d11255 --- /dev/null +++ b/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Configures search on the taskbar + +This policy setting allows you to configure search on the taskbar. + +- If you enable this policy setting and set it to **hide**, search on taskbar is hidden by default. Users can't change it in Settings +- If you enable this policy setting and set it to **search icon only**, the search icon is displayed on the taskbar by default. Users can't change it in Settings +- If you enable this policy setting and set it to **search icon and label**, the search icon and label are displayed on the taskbar by default. Users can't change it in Settings +- If you enable this policy setting and set it to **search box**, the search box is displayed on the taskbar by default. Users can't change it in Settings +- If you disable or don't configure this policy setting, search on taskbar is configured according to the defaults for your Windows edition. Users can change search on taskbar in Settings + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Search/`[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) | +| **GPO** | - **Computer Configuration** > **Windows Components** > **Search** | diff --git a/windows/configuration/taskbar/includes/disable-editing-quick-settings.md b/windows/configuration/taskbar/includes/disable-editing-quick-settings.md new file mode 100644 index 00000000000..e57bff141e3 --- /dev/null +++ b/windows/configuration/taskbar/includes/disable-editing-quick-settings.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/18/2024 +ms.topic: include +--- + +### Disable editing Quick Settings + +- If you enable this policy setting, users can't modify Quick Settings +- If you disable or don't configure this policy setting, users can edit Quick Settings + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[DisableEditingQuickSettings](/windows/client-management/mdm/policy-csp-start#disableeditingquicksettings)| +| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Disable editing quick settings** | diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md new file mode 100644 index 00000000000..9813a70d101 --- /dev/null +++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Do not allow pinning items in Jump Lists + +With this policy setting you control the pinning of items in Jump Lists. + +- If you enable this policy setting, users can't pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users can't unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists continue to show +- If you disable or don't configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items are always present in this menu + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md new file mode 100644 index 00000000000..8017676f8c8 --- /dev/null +++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Do not allow pinning programs to the Taskbar + +This policy setting allows you to control pinning programs to the Taskbar. + +- If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar +- If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md b/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md new file mode 100644 index 00000000000..bdfd18c8ccf --- /dev/null +++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Do not allow pinning Store app to the Taskbar + +This policy setting allows you to control pinning the Store app to the Taskbar. + +- If you enable this policy setting, users can't pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in +- If you disable or don't configure this policy setting, users can pin the Store app to the Taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md b/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md new file mode 100644 index 00000000000..4d42fdee7d5 --- /dev/null +++ b/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Do not allow taskbars on more than one display + +This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users aren't able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. If you disable or don't configure this policy setting, users can show taskbars on more than one display. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md b/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md new file mode 100644 index 00000000000..a91be73b376 --- /dev/null +++ b/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Do not display or track items in Jump Lists from remote locations + +This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites, and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. + +- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers aren't tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections +- If you disable or don't configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer + +> [!NOTE] +> This setting doesn't prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/example-add-pins.md b/windows/configuration/taskbar/includes/example-add-pins.md new file mode 100644 index 00000000000..06a78334f73 --- /dev/null +++ b/windows/configuration/taskbar/includes/example-add-pins.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + + + + +``` diff --git a/windows/configuration/taskbar/includes/example-region.md b/windows/configuration/taskbar/includes/example-region.md new file mode 100644 index 00000000000..7c3c8f4eba8 --- /dev/null +++ b/windows/configuration/taskbar/includes/example-region.md @@ -0,0 +1,43 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/taskbar/includes/example-remove-pins.md b/windows/configuration/taskbar/includes/example-remove-pins.md new file mode 100644 index 00000000000..e2f95fc832e --- /dev/null +++ b/windows/configuration/taskbar/includes/example-remove-pins.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + +``` diff --git a/windows/configuration/taskbar/includes/example-replace-pins.md b/windows/configuration/taskbar/includes/example-replace-pins.md new file mode 100644 index 00000000000..ccd014ee99e --- /dev/null +++ b/windows/configuration/taskbar/includes/example-replace-pins.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +```xml + + + + + + + + + + + + + +``` diff --git a/windows/configuration/taskbar/includes/example.md b/windows/configuration/taskbar/includes/example.md new file mode 100644 index 00000000000..4a31f71fce3 --- /dev/null +++ b/windows/configuration/taskbar/includes/example.md @@ -0,0 +1,53 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 03/13/2024 +ms.topic: include +--- + +```xml + + + + + + + + + +``` + +::: zone pivot="windows-10" + +### Sample taskbar configuration added to Start layout XML file + +If you configure the Start layout using policy settings, you can modify the existing XML file by adding the taskbar customizations to it. Here's an example of a Start layout XML file that includes the `CustomTaskbarLayoutCollection` node. + +```xml + + + + + + + + + + + + + + + + + + + +``` + +::: zone-end diff --git a/windows/configuration/taskbar/includes/hide-recent-jumplists.md b/windows/configuration/taskbar/includes/hide-recent-jumplists.md new file mode 100644 index 00000000000..8e4ad2a207c --- /dev/null +++ b/windows/configuration/taskbar/includes/hide-recent-jumplists.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/12/2024 +ms.topic: include +--- + +### Hide recent jumplists + +Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents. + +- If you enable this setting: + - The system and apps don't create shortcuts to documents opened + - The system empties the Recent Items menu on the Start menu, and apps don't display shortcuts at the bottom of the File menu + - The Jump Lists in the Start Menu and Taskbar don't show lists of recently or frequently used files, folders, or websites +- If you disable or don't configure this setting, the system stores and displays shortcuts to recently and frequently used files, folders, and websites +- If you enable this setting but don't enable the **Remove Recent Items menu from Start Menu** setting, the Recent Items menu appears on the Start menu, but it's empty. +- If you enable this setting, but then later disable it or set it to **Not Configured**, the document shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists. This setting doesn't hide or prevent the user from pinning files, folders, or websites to the Jump Lists. This setting doesn't hide document shortcuts displayed in the Open dialog box + +| | Path | +|--|--| +| **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
    - `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) | +| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**
    - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**| diff --git a/windows/configuration/taskbar/includes/hide-the-notification-area.md b/windows/configuration/taskbar/includes/hide-the-notification-area.md new file mode 100644 index 00000000000..f7f8b3f04d1 --- /dev/null +++ b/windows/configuration/taskbar/includes/hide-the-notification-area.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Hide the notification area + +This setting affects the notification area (previously called the "system tray") on the taskbar. Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. If this setting is enabled, the user?s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. If this setting is disabled or isn't configured, the notification area is shown in the user's taskbar. Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there's no need to clean up the icons. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/hide-the-taskview-button.md b/windows/configuration/taskbar/includes/hide-the-taskview-button.md new file mode 100644 index 00000000000..567f130a95e --- /dev/null +++ b/windows/configuration/taskbar/includes/hide-the-taskview-button.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Hide the TaskView button + +This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button is hidden and the Settings toggle disabled. + +| | Path | +|--|--| +| **CSP** |- `./Device/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
    - `./User/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) | +| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
    - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md b/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md new file mode 100644 index 00000000000..981e828059e --- /dev/null +++ b/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Lock all taskbar settings + +With this policy setting you lock all taskbar settings. + +- If you enable this policy setting, the user can't access the taskbar control panel. The user can't resize, move, or rearrange toolbars on their taskbar +- If you disable or don't configure this policy setting, the user can set any taskbar setting that isn't prevented by another policy setting + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/lock-the-taskbar.md b/windows/configuration/taskbar/includes/lock-the-taskbar.md new file mode 100644 index 00000000000..93986d56269 --- /dev/null +++ b/windows/configuration/taskbar/includes/lock-the-taskbar.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Lock the Taskbar + +This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it's locked, it can't be moved or resized. If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, autohide and other taskbar options are still available in Taskbar properties. If you disable this setting or don't configure it, the user can configure the taskbar position. Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can't show and hide various toolbars using the taskbar context menu. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md b/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md new file mode 100644 index 00000000000..07b9780bb7e --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent changes to Taskbar and Start Menu Settings + +With this policy setting you prevent changes to taskbar and Start settings. + +- If you enable this policy setting, the user can't open the Taskbar properties dialog box. If the user right-clicks the taskbar and then selects Properties, a message appears explaining that a setting prevents the action +- If you disable or don't configure this policy setting, the Taskbar and Start menu items are available from Settings on the Start menu + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
    - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md b/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md new file mode 100644 index 00000000000..8fdaf1d499a --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent grouping of taskbar items + +Taskbar grouping consolidates similar applications when there's no room on the taskbar. It kicks in when the user's taskbar is full. + +- If you enable this policy setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled +- If you disable or don't configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md b/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md new file mode 100644 index 00000000000..bfd489e4baa --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent users from adding or removing toolbars + +With this policy setting you prevent users from adding or removing toolbars. + +- If you enable this policy setting, the user isn't allowed to add or remove any toolbars to the taskbar. Applications can't add toolbars either +- If you disable or don't configure this policy setting, the users and applications can add toolbars to the taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md b/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md new file mode 100644 index 00000000000..34d6cbff58a --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent users from moving taskbar to another screen dock location + +With this policy setting you prevent users from moving taskbar to another screen dock location. + +- If you enable this policy setting, users can't drag their taskbar to another area of the monitor(s) +- If you disable or don't configure this policy setting, users can drag their taskbar to another area of the monitor, unless prevented by another policy setting + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md b/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md new file mode 100644 index 00000000000..801b804b914 --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent users from rearranging toolbars + +With this policy setting you prevent users from rearranging toolbars. + +- If you enable this policy setting, users can't drag or drop toolbars to the taskbar +- If you disable or don't configure this policy setting, users can rearrange the toolbars on the taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md b/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md new file mode 100644 index 00000000000..8796175a153 --- /dev/null +++ b/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Prevent users from resizing the taskbar + +With this policy setting you prevent users from resizing the taskbar. + +- If you enable this policy setting, users can't resize their taskbar +- If you disable or don't configure this policy setting, users can resize their taskbar, unless prevented by another setting + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md b/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md new file mode 100644 index 00000000000..a79bd60c892 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove access to the context menus for the taskbar + +With this policy setting you can remove access to the context menus for the taskbar. + +- If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden. For example the Start button, the clock, and the taskbar buttons. +- If you disable or don't configure this policy setting, the context menus for the taskbar are available + +This policy setting doesn't prevent users from using other methods to issue the commands that appear on these menus. + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
    - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md b/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md new file mode 100644 index 00000000000..ee455afcd77 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove Clock from the system notification area + +- If you enable this policy setting, the clock isn't displayed in the system notification area +- If you disable or don't configure this policy setting, the default behavior accur, and the clock appears in the notification area + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md b/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md new file mode 100644 index 00000000000..d141649c74c --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove Notifications and Action Center + +This policy setting removes *Notifications* and *Action Center* from the notification area on the taskbar. + +The notification area is located at the far right end of the taskbar, and includes icons for current notifications and the system clock. + +- If this setting is enabled, Notifications and Action Center aren't displayed in the notification area. The user can read notifications when they appear, but they can't review any notifications they miss +- If you disable or don't configure this policy setting, Notification and Security and Maintenance are displayed on the taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md b/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md new file mode 100644 index 00000000000..901e8f24028 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove pinned programs from the Taskbar + +This policy setting allows you to remove pinned programs from the taskbar. + +- If you enable this policy setting, pinned programs are removed from the taskbar. Users can't pin programs to the taskbar +- If you disable or don't configure this policy setting, users can pin programs so that the program shortcuts stay on the taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**
    - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-quick-settings.md b/windows/configuration/taskbar/includes/remove-quick-settings.md new file mode 100644 index 00000000000..58e2e010693 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-quick-settings.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove Quick Settings + +This policy setting removes Quick Settings from the bottom right area on the taskbar. The Quick Settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. + +If this setting is enabled, Quick Settings isn't displayed in the Quick Settings area. + +> [!NOTE] +> A reboot is required for this policy setting to take effect. + +| | Path | +|--|--| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[DisableControlCenter](/windows/client-management/mdm/policy-csp-start#disablecontrolcenter) | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-the-battery-meter.md b/windows/configuration/taskbar/includes/remove-the-battery-meter.md new file mode 100644 index 00000000000..5eac19f2600 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-the-battery-meter.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove the battery meter + +With this policy setting you can remove the battery meter from the system control area. + +- If you enable this policy setting, the battery meter isn't displayed in the system notification area +- If you disable or don't configure this policy setting, the battery meter is displayed in the system notification area + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md b/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md new file mode 100644 index 00000000000..e0ed92dcbb2 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove the Meet Now icon + +With this policy setting allows you can remove the Meet Now icon from the system control area. + +- If you enable this policy setting, the Meet Now icon isn't displayed in the system notification area +- If you disable or don't configure this policy setting, the Meet Now icon is displayed in the system notification area + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-the-networking-icon.md b/windows/configuration/taskbar/includes/remove-the-networking-icon.md new file mode 100644 index 00000000000..18f8a0d6ba9 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-the-networking-icon.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove the networking icon + +With this policy setting you can remove the networking icon from the system control area. + +- If you enable this policy setting, the networking icon isn't displayed in the system notification area +- If you disable or don't configure this policy setting, the networking icon is displayed in the system notification area + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md b/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md new file mode 100644 index 00000000000..9a07b3ea068 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove the People Bar from the taskbar + +With this policy allows you can remove the People Bar from the taskbar and disables the My People experience. If you enable this policy setting, the people icon is removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users can't pin people to the taskbar. + +| | Path | +|--|--| +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md b/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md new file mode 100644 index 00000000000..b1c847e81c3 --- /dev/null +++ b/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Remove the volume control icon + +With this policy setting you can remove the volume control icon from the system control area. + +- If you enable this policy setting, the volume control icon isn't displayed in the system notification area +- If you disable or don't configure this policy setting, the volume control icon is displayed in the system notification area + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/show-additional-calendar.md b/windows/configuration/taskbar/includes/show-additional-calendar.md new file mode 100644 index 00000000000..8198012d72b --- /dev/null +++ b/windows/configuration/taskbar/includes/show-additional-calendar.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Show additional calendar + +By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar. + +- For `zh-CN` and `zh-SG` locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default +- For `zh-TW`, `zh-HK`, and `zh-MO` locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default + +- If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale +- If you disable this policy setting, users can't show an additional calendar, regardless of the locale +- If you don't configure this policy setting, the calendar will be set according to the default logic + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md b/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md new file mode 100644 index 00000000000..bce9e7ab7d6 --- /dev/null +++ b/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Simplify Quick Settings Layout + +- If you enable this policy, Quick Settings is reduced to only having the Wi-Fi, Bluetooth, Accessibility, and VPN buttons. The brightness slider, volume slider, and battery indicator and link to the Settings app +- If you disable or don't configure this policy setting, the regular Quick Settings layout appears whenever Quick Settings is invoked + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[SimplifyQuickSettings](/windows/client-management/mdm/policy-csp-start#simplifyquicksettings) | +| **GPO** | - **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md b/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md new file mode 100644 index 00000000000..9642aecd968 --- /dev/null +++ b/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Turn off automatic promotion of notification icons to the taskbar + +With this policy setting you can turn off automatic promotion of notification icons to the taskbar. + +- If you enable this policy setting, newly added notification icons aren't temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. +- If you disable or don't configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md b/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md new file mode 100644 index 00000000000..6150f80740f --- /dev/null +++ b/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 04/11/2024 +ms.topic: include +--- + +### Turn off notification area cleanup + +This setting affects the notification area, also called the *system tray*. The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. + +This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup `<<` icon can be referred to as the *notification chevron*. + +- If you enable this setting, the system notification area expands to show all of the notifications that use this area +- If you disable this setting, the system notification area always collapses notifications +- If you don't configure it, the user can choose if they want notifications collapsed or expanded + +| | Path | +|--|--| +| **CSP** | Not available. | +| **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | diff --git a/windows/configuration/taskbar/index.md b/windows/configuration/taskbar/index.md new file mode 100644 index 00000000000..6ef2fe06f67 --- /dev/null +++ b/windows/configuration/taskbar/index.md @@ -0,0 +1,105 @@ +--- +title: Configure the Windows taskbar +description: Learn how to configure the Windows taskbar to provide quick access to the tools and applications that users need most. +ms.topic: how-to +ms.date: 04/17/2024 +ms.collection: +- essentials-manage +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Configure the Windows taskbar + +The Windows taskbar is an essential component of the Windows operating system. The taskbar acts as a versatile platform for multitasking and quick access to applications and system notifications. For organizations, the ability to customize the taskbar's layout and features through policy settings is invaluable, especially in scenarios where specific roles or functions require streamlined access to certain tools and programs. + +::: zone pivot="windows-11" + +:::image type="content" source="images/taskbar-11.png" alt-text="Screenshot of the Windows 11 taskbar." border="false" lightbox="./images/taskbar-11.png"::: + +::: zone-end + +::: zone pivot="windows-10" + +:::image type="content" source="images/taskbar-10.png" alt-text="Screenshot of the Windows 10 taskbar." border="false" lightbox="./images/taskbar-10.png"::: + +::: zone-end + +For example, students can benefit from a customized taskbar that can provide access to educational tools and resources, minimizing distractions and optimizing the learning environment. + +Frontline workers, who often operate in fast-paced and dynamic settings, can benefit from a taskbar that is configured to provide immediate access to the most critical applications and functions they need. The taskbar customization can streamline workflows and enhance productivity by reducing the time spent navigating through unnecessary applications or menus. + +Kiosks, which are designed for public use, can also take advantage of taskbar customization to offer a simplified and focused interface. This can help users quickly find the information or services they're looking for, which is useful in environments like retail, information centers, or public service areas. + +Overall, the ability to customize the Windows taskbar using policy settings enables organizations to create a more controlled, efficient, and user-friendly computing environment tailored to the specific needs of different user groups. + +## Taskbar structure + +The Windows taskbar consists of several key components that can be customized to meet the needs of different scenarios. + +::: zone pivot="windows-11" + +Let's review the components of the Windows taskbar by dividing it into three areas: + +1. The *left area* contains Widgets, which provide personalized news, weather, and other information +1. The *center area* contains: + 1. Start menu + 1. Search + 1. Task view + 1. Pinned and running apps +1. The *right area* contains: + 1. The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, and any application icons that are running in the background like OneDrive, Teams, or antivirus software + 1. Quick actions + 1. Calendar + 1. Notifications + +:::image type="content" source="images/taskbar-sections-11.png" alt-text="Screenshot of the Windows 11 taskbar with the three areas highlighted." border="false" lightbox="./images/taskbar-sections-11.png"::: + +::: zone-end + +::: zone pivot="windows-10" + +Let's review the components of the Windows taskbar by dividing it into two areas: + +1. The *left area* contains: + - Start menu + - Search + - Cortana + - Task view + - Pinned and running apps + +1. The *right area* contains: + - People + - News and interests + - The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, power, network, volume, and any application icons that are running in the background like OneDrive, Teams, or antivirus software + - Calendar + - Notifications and actions + +:::image type="content" source="images/taskbar-sections-10.png" alt-text="Screenshot of the Windows 11 taskbar with the two areas highlighted." border="false" lightbox="./images/taskbar-sections-10.png"::: + +::: zone-end + +## Configuration options + +There are several options to configure the Windows taskbar. + +If you need to configure a device for a single user, you can pin/unpin applications to the taskbar and rearrange them. The taskbar can be further customized from Settings. Go to **Settings** > **Personalization** > **[Taskbar](ms-settings:taskbar)**. + +For advanced customizations and when you need to configure multiple devices, you can use one of the following options: + +- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md#csps-in-windows-configuration-designer), which are used at deployment time or for unmanaged devices. To configure the taskbar, use the [Start Policy CSP][WIN-1] +- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and not managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor + +> [!NOTE] +> While many of the taskbar policy settings can be configured using both CSP and GPO, there are some settings that are exclusive to one or the other. To learn about the available policy settings to configure the Start menu via CSP and GPO, see [Taskbar policy settings](policy-settings.md). + +## Next steps + +In the next sections, you can learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO): + +- [Taskbar policy settings](policy-settings.md) +- [Configure the taskbar pinned applications](pinned-apps.md) + + + +[WIN-1]: /windows/client-management/mdm/policy-csp-start diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md new file mode 100644 index 00000000000..f7cbe59725b --- /dev/null +++ b/windows/configuration/taskbar/pinned-apps.md @@ -0,0 +1,237 @@ +--- +title: Configure the applications pinned to the taskbar +description: Learn how to configure the applications pinned to the Windows taskbar. +ms.topic: how-to +ms.date: 04/17/2024 +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Configure the applications pinned to the taskbar + +The configuration of the applications pinned to the taskbar is done with the use of an XML file. This article describes how to create and deploy the XML configuration file. + +> [!NOTE] +> If you are looking for OEM information, see the article [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar). + +To learn about all the policy settings to customize the taskbar layout and configure the taskbar behaviors, see [Taskbar policy settings](policy-settings.md). + +## Before you begin + +Here are some considerations before you start configuring the taskbar pinned applications: + +- There's no limit to the number of apps that you can pin +- In the XML file, add apps using the Application User Model ID (AUMID), the Desktop Application ID, or the Desktop Application Link Path +- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Make sure to enter the correct Application ID. To learn more, see [Find the Application User Model ID of an installed app](../store/find-aumid.md) +- If you specify an app to be pinned that isn't provisioned for the user on the device, the pinned icon doesn't appear on the taskbar +- The order of applications in the XML file dictates the order of pinned apps on the taskbar, from left to right. If the OS is configured to use a right-to-left language, then the taskbar order is reversed +- Applications can be pinned using the following methods: + - Default Windows apps, pinned during the OS installation. For example: Microsoft Edge, File Explorer, and Store. These applications are pinned first (blue square) + - Pinned manually by the user. These applications are usually pinned next to the default pinned apps (red circle) + - Pinned via policy settings. These applications are pinned after the apps pinned manually by the user (green triangle) + +::: zone pivot="windows-10" + +:::image type="content" source="images/pin-layout-10.png" border="false" lightbox="images/pin-layout-10.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps."::: + +::: zone-end + +::: zone pivot="windows-11" + +:::image type="content" source="images/pin-layout-11.png" border="false" lightbox="images/pin-layout-11.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps."::: + +::: zone-end + +## Configuration steps + +The following steps describe how to configure the taskbar pinned applications using policy settings: + +1. Create the XML file. You can start with the [XML example](#taskbar-layout-example) +1. Edit the XML file to meet your requirements and save it +1. Deploy the XML file to devices using configuration service provider (CSP), provisioning packages (PPKG), or group policy (GPO) + +>[!IMPORTANT] +>If you use a provisioning package or `import-startlayout` to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO. + +::: zone pivot="windows-10" + +>[!NOTE] +>If you use GPO and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use GPO and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a partial Start layout, users can make changes to the taskbar and to tile groups not defined in the partial Start layout. +> +> For more information, see [Configure the Start menu](../start/index.md). + +::: zone-end + +## Taskbar layout example + +Here you can find an example of taskbar layout that you can use as a reference: + +[!INCLUDE [example](includes/example.md)] + +### Modify the configuration file + +> [!CAUTION] +> When you make changes to the XML file, be aware that the XML format must adhere to an [XML schema definition (XSD)](xsd.md). + +You can change the apps pinned to the taskbar by modifying the `` node. + +1. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps: + - ``: Select this option for UWP apps. Add the *AUMID* of the UWP app + - ``: Select this option for desktop apps. Add the *Desktop Application ID* or the *Desktop Application Link Path* of the desktop app +1. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`: + - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned + - ``: Unpins the default apps. Only the apps you add are pinned. If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned +1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region +1. Save the file + +For practical examples of how to add, remove, or replace pinned apps, see the following sections: + +- [Add pins](#example-add-pins) +- [Remove default pins](#example-remove-pins) +- [Replace default pins](#example-replace-pins) +- [Configure the taskbar by country or region](#example-configure-the-taskbar-by-country-or-region) + +#### Example: add pins + +The `` section appends the listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. + +[!INCLUDE [example-add-pins](includes/example-add-pins.md)] + +**Before and after:** + +::: zone pivot="windows-11" +:::image type="content" source="images/pin-add-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-11.png"::: +::: zone-end + +::: zone pivot="windows-10" +:::image type="content" source="images/pin-add-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-10.png"::: +::: zone-end + +#### Example: remove pins + +To remove all pins, add `PinListPlacement="Replace"` to ``. + +[!INCLUDE [example-remove-pins](includes/example-remove-pins.md)] + +**Before and after:** + +::: zone pivot="windows-11" +:::image type="content" source="images/pin-remove-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-11.png"::: +::: zone-end + +::: zone pivot="windows-10" +:::image type="content" source="images/pin-remove-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-10.png"::: +::: zone-end + +#### Example: replace pins + +To replace all default pins and add your own pins, add `PinListPlacement="Replace"` to ``. Then, add the pins that you want to `TaskbarPinList`. + +[!INCLUDE [example-replace-pins](includes/example-replace-pins.md)] + +**Before and after:** + +::: zone pivot="windows-11" +:::image type="content" source="images/pin-replace-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-11.png"::: +::: zone-end + +::: zone pivot="windows-10" +:::image type="content" source="images/pin-replace-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-10.png"::: +::: zone-end + +#### Example: configure the taskbar by country or region + +In the following XML example, two regions are added: `US|UK` and `DE|FR|IT`: + +[!INCLUDE [example](includes/example-region.md)] + +- If the `` node has region matching the one configured on the device, then the configuration applies +- If the `` node doesn't have a region matching the one configured on the device, then the first `` node without region applies + +> [!NOTE] +> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) + +## Deploy the taskbar configuration + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) + +To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: + +| Category | Setting name | Value | +|--|--|--| +| **Start** | Start Layout | Content of the XML file| +| **Start** | Start Layout (User) | Content of the XML file| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: + +| Setting | +|--| +| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)
    - **String:**
    - **Value:** content of the XML file | +| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)
    - **Data type:**
    - **Value:** content of the XML file | + +[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] + +#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) + +[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] + +- **Path:** `Policies/Start/StartLayout` +- **Value:** content of the XML file + +> [!NOTE] +> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*. + +[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] + +#### [:::image type="icon" source="../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use one of the following settings: + +| Group policy path | Group policy setting | Value | +| - | - | - | +|**Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file | +|**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file | + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. + +--- + +## User experience + +After the taskbar layout is applied, the users must sign out and sign in again to see the new layout. Unless prohibited via policy settings, users can pin more apps, change the order, and unpin apps from the taskbar. + +### OS install and upgrade experience + +On a clean install of Windows, if you apply a taskbar layout, the following apps are pinned to the taskbar: + +- Any default apps you don't remove +- Apps that you specifically pin in the XML file + +On a Windows OS upgrade, apps are already pinned to the taskbar. The taskbar layout applies the following logic: + +- If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps +- If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned +- If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps +- New apps in updated layout file are pinned after the user's pinned apps + +If you apply the taskbar configuration to a clean install or an update, users can still: + +- Pin more apps +- Change the order of pinned apps +- Unpin any app + +## Next steps + +Learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO): + +- [Taskbar policy settings](policy-settings.md) + +--- +[WIN-1]: /windows/client-management/mdm/policy-csp-start +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 diff --git a/windows/configuration/taskbar/policy-settings.md b/windows/configuration/taskbar/policy-settings.md new file mode 100644 index 00000000000..72ca73538b1 --- /dev/null +++ b/windows/configuration/taskbar/policy-settings.md @@ -0,0 +1,182 @@ +--- +title: Taskbar policy settings +description: Learn about the policy settings to configure the Windows taskbar. +ms.topic: reference +ms.date: 04/17/2024 +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Taskbar policy settings + +This reference article outlines the policy settings available for customizing the Windows taskbar, using Configuration Service Provider (CSP) or group policy (GPO). For information about how to configure these settings, see [Configure the Windows taskbar](index.md). + +The settings are categorized and presented in alphabetical order to facilitate navigation and configuration. + +1. **Taskbar layout**: settings to control the taskbar layout and appearance +1. **Taskbar behaviors**: settings to control the taskbar behaviors and the users' allowed actions + +Select one of the tabs to see the list of available settings: + +#### [:::image type="icon" source="../images/icons/taskbar.svg"::: **Taskbar layout**](#tab/taskbar) + +::: zone pivot="windows-11" + +|Setting Name|CSP|GPO| +|-|-|-| +|[Allow widgets](#allow-widgets)|✅|✅| +|[Configure Start layout](#configure-start-layout)|✅|✅| +|[Configures search on the taskbar](#configures-search-on-the-taskbar)|✅|✅| +|[Do not display or track items in Jump Lists from remote locations](#do-not-display-or-track-items-in-jump-lists-from-remote-locations)|❌|✅| +|[Hide recent jumplists](#hide-recent-jumplists)|✅|✅| +|[Hide the TaskView button](#hide-the-taskview-button)|✅|✅| +|[Remove Clock from the system notification area](#remove-clock-from-the-system-notification-area)|❌|✅| +|[Remove Notifications and Action Center](#remove-notifications-and-action-center)|❌|✅| +|[Remove pinned programs from the Taskbar](#remove-pinned-programs-from-the-taskbar)|❌|✅| +|[Remove Quick Settings](#remove-quick-settings)|✅|✅| +|[Show additional calendar](#show-additional-calendar)|❌|✅| +|[Simplify Quick Settings Layout](#simplify-quick-settings-layout)|✅|✅| +|[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅| + +::: zone-end + +::: zone pivot="windows-10" + +|Setting Name|CSP|GPO| +|-|-|-| +|[Allow widgets](#allow-widgets)|✅|✅| +|[Configure Start layout](#configure-start-layout)|✅|✅| +|[Configures search on the taskbar](#configures-search-on-the-taskbar)|✅|✅| +|[Do not display or track items in Jump Lists from remote locations](#do-not-display-or-track-items-in-jump-lists-from-remote-locations)|❌|✅| +|[Hide recent jumplists](#hide-recent-jumplists)|✅|✅| +|[Hide the notification area](#hide-the-notification-area)|❌|✅| +|[Remove Clock from the system notification area](#remove-clock-from-the-system-notification-area)|❌|✅| +|[Remove Notifications and Action Center](#remove-notifications-and-action-center)|❌|✅| +|[Remove pinned programs from the Taskbar](#remove-pinned-programs-from-the-taskbar)|❌|✅| +|[Remove the battery meter](#remove-the-battery-meter)|❌|✅| +|[Remove the Meet Now icon](#remove-the-meet-now-icon)|❌|✅| +|[Remove the networking icon](#remove-the-networking-icon)|❌|✅| +|[Remove the People Bar from the taskbar](#remove-the-people-bar-from-the-taskbar)|✅|✅| +|[Remove the volume control icon](#remove-the-volume-control-icon)|❌|✅| +|[Show additional calendar](#show-additional-calendar)|❌|✅| +|[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅| +|[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅| + +::: zone-end + +[!INCLUDE [allow-widgets](includes/allow-widgets.md)] +[!INCLUDE [configure-start-layout](includes/configure-start-layout.md)] +[!INCLUDE [configures-search-on-the-taskbar](includes/configures-search-on-the-taskbar.md)] +[!INCLUDE [do-not-display-or-track-items-in-jump-lists-from-remote-locations](includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md)] + +::: zone pivot="windows-10" +[!INCLUDE [hide-the-notification-area](includes/hide-the-notification-area.md)] +::: zone-end + +[!INCLUDE [hide-recent-jumplists](includes/hide-recent-jumplists.md)] + +::: zone pivot="windows-11" +[!INCLUDE [hide-the-taskview-button](includes/hide-the-taskview-button.md)] +::: zone-end + +[!INCLUDE [remove-clock-from-the-system-notification-area](includes/remove-clock-from-the-system-notification-area.md)] +[!INCLUDE [remove-notifications-and-action-center](includes/remove-notifications-and-action-center.md)] +[!INCLUDE [remove-pinned-programs-from-the-taskbar](includes/remove-pinned-programs-from-the-taskbar.md)] + +::: zone pivot="windows-11" +[!INCLUDE [remove-quick-settings](includes/remove-quick-settings.md)] +::: zone-end + +::: zone pivot="windows-10" +[!INCLUDE [remove-the-battery-meter](includes/remove-the-battery-meter.md)] +[!INCLUDE [remove-the-meet-now-icon](includes/remove-the-meet-now-icon.md)] +[!INCLUDE [remove-the-networking-icon](includes/remove-the-networking-icon.md)] +[!INCLUDE [remove-the-people-bar-from-the-taskbar](includes/remove-the-people-bar-from-the-taskbar.md)] +[!INCLUDE [remove-the-volume-control-icon](includes/remove-the-volume-control-icon.md)] +::: zone-end + +[!INCLUDE [show-additional-calendar](includes/show-additional-calendar.md)] + +::: zone pivot="windows-11" +[!INCLUDE [simplify-quick-settings-layout](includes/simplify-quick-settings-layout.md)] +::: zone-end + +[!INCLUDE [turn-off-automatic-promotion-of-notification-icons-to-the-taskbar](includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md)] + +::: zone pivot="windows-10" +[!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)] +::: zone-end + +#### [:::image type="icon" source="../images/icons/touch.svg"::: **Taskbar behaviors**](#tab/actions) + +::: zone pivot="windows-11" + +|Setting Name|CSP|GPO| +|-|-|-| +|[Disable editing Quick Settings](#disable-editing-quick-settings)|✅|✅| +|[Do not allow pinning items in Jump Lists](#do-not-allow-pinning-items-in-jump-lists)|❌|✅| +|[Do not allow pinning programs to the Taskbar](#do-not-allow-pinning-programs-to-the-taskbar)|✅|✅| +|[Do not allow pinning Store app to the Taskbar](#do-not-allow-pinning-store-app-to-the-taskbar)|❌|✅| +|[Do not allow taskbars on more than one display](#do-not-allow-taskbars-on-more-than-one-display)|❌|✅| +|[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅| +|[Prevent grouping of taskbar items](#prevent-grouping-of-taskbar-items)|❌|✅| +|[Remove access to the context menus for the taskbar](#remove-access-to-the-context-menus-for-the-taskbar)|❌|✅| + +::: zone-end + +::: zone pivot="windows-10" + +|Setting Name|CSP|GPO| +|-|-|-| +|[Do not allow pinning items in Jump Lists](#do-not-allow-pinning-items-in-jump-lists)|❌|✅| +|[Do not allow pinning programs to the Taskbar](#do-not-allow-pinning-programs-to-the-taskbar)|✅|✅| +|[Do not allow pinning Store app to the Taskbar](#do-not-allow-pinning-store-app-to-the-taskbar)|❌|✅| +|[Lock all taskbar settings](#lock-all-taskbar-settings)|❌|✅| +|[Lock the Taskbar](#lock-the-taskbar)|❌|✅| +|[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅| +|[Prevent grouping of taskbar items](#prevent-grouping-of-taskbar-items)|❌|✅| +|[Prevent users from adding or removing toolbars](#prevent-users-from-adding-or-removing-toolbars)|❌|✅| +|[Prevent users from moving taskbar to another screen dock location](#prevent-users-from-moving-taskbar-to-another-screen-dock-location)|❌|✅| +|[Prevent users from rearranging toolbars](#prevent-users-from-rearranging-toolbars)|❌|✅| +|[Prevent users from resizing the taskbar](#prevent-users-from-resizing-the-taskbar)|❌|✅| +|[Remove access to the context menus for the taskbar](#remove-access-to-the-context-menus-for-the-taskbar)|❌|✅| +|[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅| + +::: zone-end + +::: zone pivot="windows-11" +[!INCLUDE [disable-editing-quick-settings](includes/disable-editing-quick-settings.md)] +::: zone-end + +[!INCLUDE [do-not-allow-pinning-items-in-jump-lists](includes/do-not-allow-pinning-items-in-jump-lists.md)] +[!INCLUDE [do-not-allow-pinning-programs-to-the-taskbar](includes/do-not-allow-pinning-programs-to-the-taskbar.md)] +[!INCLUDE [do-not-allow-pinning-store-app-to-the-taskbar](includes/do-not-allow-pinning-store-app-to-the-taskbar.md)] +[!INCLUDE [do-not-allow-taskbars-on-more-than-one-display](includes/do-not-allow-taskbars-on-more-than-one-display.md)] + +::: zone pivot="windows-10" +[!INCLUDE [lock-all-taskbar-settings](includes/lock-all-taskbar-settings.md)] +[!INCLUDE [lock-the-taskbar](includes/lock-the-taskbar.md)] +::: zone-end + +[!INCLUDE [prevent-changes-to-taskbar-and-start-menu-settings](includes/prevent-changes-to-taskbar-and-start-menu-settings.md)] +[!INCLUDE [prevent-grouping-of-taskbar-items](includes/prevent-grouping-of-taskbar-items.md)] + +::: zone pivot="windows-10" +[!INCLUDE [prevent-users-from-adding-or-removing-toolbars](includes/prevent-users-from-adding-or-removing-toolbars.md)] +[!INCLUDE [prevent-users-from-moving-taskbar-to-another-screen-dock-location](includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md)] +[!INCLUDE [prevent-users-from-rearranging-toolbars](includes/prevent-users-from-rearranging-toolbars.md)] +[!INCLUDE [prevent-users-from-resizing-the-taskbar](includes/prevent-users-from-resizing-the-taskbar.md)] +::: zone-end + +[!INCLUDE [remove-access-to-the-context-menus-for-the-taskbar](includes/remove-access-to-the-context-menus-for-the-taskbar.md)] +[!INCLUDE [turn-off-automatic-promotion-of-notification-icons-to-the-taskbar](includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md)] + +::: zone pivot="windows-10" +[!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)] +::: zone-end + +--- + +## Next steps + +The configuration of pinned applications to the taskbar requires the use of an XML file that specifies their pinning order. To learn more about how to create and apply an XML file to configure pinned applications, see [Configure the taskbar pinned applications](pinned-apps.md). diff --git a/windows/configuration/taskbar/supported-csp-taskbar-windows.md b/windows/configuration/taskbar/supported-csp-taskbar-windows.md deleted file mode 100644 index b4f8a0c7327..00000000000 --- a/windows/configuration/taskbar/supported-csp-taskbar-windows.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Supported CSP policies to customize the Taskbar on Windows 11 -description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -ms.date: 12/31/2017 -ms.topic: article -appliesto: -- ✅ Windows 11 ---- - -# Supported configuration service provider (CSP) policies for Windows 11 taskbar - -The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. - -For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). - -## CSP policies to customize Windows 11 taskbar buttons - -- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) - - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar` - - Local setting: Settings > Personalization > Taskbar > Search - -- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) - - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button` - - Local setting: Settings > Personalization > Taskbar > Task view - -- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) - - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets` - - Local setting: Settings > Personalization > Taskbar > Widgets - -- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar) - - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting` - - Local setting: Settings > Personalization > Taskbar > Chat - -## Existing CSP policies that Windows 11 taskbar supports - -- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar - -- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` - - Local setting: None - -## Existing CSP policies that Windows 11 doesn't support - -The following list includes some of the CSP policies that aren't supported on Windows 11: - -- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` - -- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` - -- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` - -- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` - -- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` - -- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` - -- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` - -- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` - -- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` diff --git a/windows/configuration/taskbar/toc.yml b/windows/configuration/taskbar/toc.yml index cbe3e66b835..a20dbfb8939 100644 --- a/windows/configuration/taskbar/toc.yml +++ b/windows/configuration/taskbar/toc.yml @@ -1,7 +1,10 @@ items: -- name: Customize the Taskbar in Windows 11 - href: customize-taskbar-windows-11.md -- name: Supported Taskbar CSPs - href: supported-csp-taskbar-windows.md -- name: Customize the Taskbar in Windows 10 - href: configure-windows-10-taskbar.md \ No newline at end of file +- name: Overview + href: index.md + displayName: Configure the Windows taskbar +- name: Policy settings + href: policy-settings.md +- name: Configure the pinned applications + href: pinned-apps.md +- name: XML schema definition (XSD) + href: xsd.md \ No newline at end of file diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md new file mode 100644 index 00000000000..c6d5ded3aad --- /dev/null +++ b/windows/configuration/taskbar/xsd.md @@ -0,0 +1,61 @@ +--- +title: Taskbar XML Schema Definition (XSD) +description: Taskbar XSD reference article. +ms.topic: reference +ms.date: 02/15/2024 +--- + +# Taskbar XML Schema Definition (XSD) + +This reference article contains the Taskbar XML schema definition (XSD). + +## TaskbarLayout + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/windows/configuration/tips/manage-tips-and-suggestions.md b/windows/configuration/tips/manage-tips-and-suggestions.md deleted file mode 100644 index 02b2484664c..00000000000 --- a/windows/configuration/tips/manage-tips-and-suggestions.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions -description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. -ms.topic: article -ms.date: 09/20/2017 ---- - -# Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions - -Since its inception, Windows 10 has included a number of user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: - -* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in "hotspots" that are revealed on hover. -* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Microsoft Store. -* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the user's experience. -* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. -* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. - ->[!TIP] -> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. - -Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. - -## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions - -| Windows 10 edition | Disable | Show Microsoft apps only | Show Microsoft and popular third-party apps | -|--|--|--|--| -| Windows 10 Pro | No | Yes | Yes (default) | -| Windows 10 Enterprise | Yes | Yes | Yes (default) | -| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) | -| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) | - -[Learn more about policy settings for Windows Spotlight.](../lock-screen/windows-spotlight.md) diff --git a/windows/configuration/toc.yml b/windows/configuration/toc.yml index ca93c8e7dbd..45b8217fabc 100644 --- a/windows/configuration/toc.yml +++ b/windows/configuration/toc.yml @@ -3,29 +3,21 @@ items: href: index.yml - name: Accessibility information for IT Pros href: accessibility/index.md -- name: Customize the appearance - items: - - name: Start - href: start/toc.yml - - name: Taskbar - href: taskbar/toc.yml +- name: Start + href: start/toc.yml +- name: Taskbar + href: taskbar/toc.yml +- name: Windows spotlight + href: windows-spotlight/index.md - name: Microsoft Store - items: - - name: Configure access to the Microsoft Store - href: store/stop-employees-from-using-microsoft-store.md - - name: Manage Microsoft Store tips, "fun facts", and suggestions - href: tips/manage-tips-and-suggestions.md -- name: Windows Spotlight - href: lock-screen/windows-spotlight.md + href: store/toc.yml - name: Cellular settings href: cellular/provisioning-apn.md -- name: Kiosks and restricted user experience - href: kiosk/toc.yml +- name: Kiosks and restricted user experiences + href: assigned-access/toc.yml - name: Multi-user and guest devices href: shared-pc/toc.yml -- name: Use provisioning packages +- name: Provisioning packages href: provisioning-packages/toc.yml -- name: Windows Configuration Designer reference +- name: Windows Configuration Designer href: wcd/toc.yml -- name: User Experience Virtualization (UE-V) - href: ue-v/toc.yml \ No newline at end of file diff --git a/windows/configuration/ue-v/images/uev-adk-select-uev-feature.png b/windows/configuration/ue-v/images/uev-adk-select-uev-feature.png deleted file mode 100644 index 1556f115c00..00000000000 Binary files a/windows/configuration/ue-v/images/uev-adk-select-uev-feature.png and /dev/null differ diff --git a/windows/configuration/ue-v/images/uev-archdiagram.png b/windows/configuration/ue-v/images/uev-archdiagram.png deleted file mode 100644 index eae098e6661..00000000000 Binary files a/windows/configuration/ue-v/images/uev-archdiagram.png and /dev/null differ diff --git a/windows/configuration/ue-v/images/uev-checklist-box.gif b/windows/configuration/ue-v/images/uev-checklist-box.gif deleted file mode 100644 index 8af13c51d1b..00000000000 Binary files a/windows/configuration/ue-v/images/uev-checklist-box.gif and /dev/null differ diff --git a/windows/configuration/ue-v/images/uev-deployment-preparation.png b/windows/configuration/ue-v/images/uev-deployment-preparation.png deleted file mode 100644 index b665a0bfea4..00000000000 Binary files a/windows/configuration/ue-v/images/uev-deployment-preparation.png and /dev/null differ diff --git a/windows/configuration/ue-v/images/uev-generator-process.png b/windows/configuration/ue-v/images/uev-generator-process.png deleted file mode 100644 index e16cedd0a76..00000000000 Binary files a/windows/configuration/ue-v/images/uev-generator-process.png and /dev/null differ diff --git a/windows/configuration/ue-v/toc.yml b/windows/configuration/ue-v/toc.yml deleted file mode 100644 index 8da6a3d8d42..00000000000 --- a/windows/configuration/ue-v/toc.yml +++ /dev/null @@ -1,65 +0,0 @@ -items: -- name: User Experience Virtualization (UE-V) for Windows 10 - href: uev-for-windows.md -- name: Get started with UE-V - items: - - name: Get started with UE-V - href: uev-getting-started.md - - name: What's New in UE-V for Windows 10, version 1607 - href: uev-whats-new-in-uev-for-windows.md - - name: User Experience Virtualization Release Notes - href: uev-release-notes-1607.md - - name: Upgrade to UE-V for Windows 10 - href: uev-upgrade-uev-from-previous-releases.md -- name: Prepare a UE-V Deployment - items: - - name: Prepare a UE-V Deployment - href: uev-prepare-for-deployment.md - - name: Deploy Required UE-V Features - href: uev-deploy-required-features.md - - name: Deploy UE-V for use with Custom Applications - href: uev-deploy-uev-for-custom-applications.md -- name: Administer UE-V - items: - - name: UE-V administration guide - href: uev-administering-uev.md - - name: Manage Configurations for UE-V - items: - - name: Manage Configurations for UE-V - href: uev-manage-configurations.md - - name: Configuring UE-V with Group Policy Objects - href: uev-configuring-uev-with-group-policy-objects.md - - name: Configuring UE-V with Microsoft Configuration Manager - href: uev-configuring-uev-with-system-center-configuration-manager.md - - name: Administering UE-V with Windows PowerShell and WMI - href: uev-administering-uev-with-windows-powershell-and-wmi.md - - name: Managing the UE-V Service and Packages with Windows PowerShell and WMI - href: uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md - - name: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI - href: uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md - - name: Working with Custom UE-V Templates and the UE-V Template Generator - href: uev-working-with-custom-templates-and-the-uev-generator.md - - name: Manage Administrative Backup and Restore in UE-V - href: uev-manage-administrative-backup-and-restore.md - - name: Changing the Frequency of UE-V Scheduled Tasks - href: uev-changing-the-frequency-of-scheduled-tasks.md - - name: Migrating UE-V Settings Packages - href: uev-migrating-settings-packages.md - - name: Using UE-V with Application Virtualization Applications - href: uev-using-uev-with-application-virtualization-applications.md -- name: Troubleshooting UE-V - href: uev-troubleshooting.md -- name: Technical Reference for UE-V - items: - - name: Technical Reference for UE-V - href: uev-technical-reference.md - - name: Sync Methods for UE-V - href: uev-sync-methods.md - - name: Sync Trigger Events for UE-V - href: uev-sync-trigger-events.md - - name: Synchronizing Microsoft Office with UE-V - href: uev-synchronizing-microsoft-office-with-uev.md - - name: Application Template Schema Reference for UE-V - href: uev-application-template-schema-reference.md - - name: Security Considerations for UE-V - href: uev-security-considerations.md diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md deleted file mode 100644 index 1c79ab59487..00000000000 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Administering UE-V with Windows PowerShell and WMI -description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Administering UE-V with Windows PowerShell and WMI - -User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. The following sections provide more information about using Windows PowerShell in UE-V. - -> [!NOTE] -> -> Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/). - -## Managing the UE-V service and packages by using Windows PowerShell and WMI - -You can use Windows PowerShell and Windows Management Instrumentation (WMI) to manage UE-V service configuration and synchronization behavior. The following topic describes how to manage configuration and synchronization. - -[Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md) - -## Managing UE-V settings location templates by using Windows PowerShell and WMI - -After you create and deploy UE-V settings location templates, you can manage those templates by using Windows PowerShell or WMI. The following topic describes how to manage the settings location templates by using Windows PowerShell and WMI. - -[Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md) diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md deleted file mode 100644 index 40669d9a7ae..00000000000 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Administering UE-V -description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Administering UE-V - -After you finish deploying User Experience Virtualization (UE-V), you'll perform ongoing administrative tasks, such as managing the configuration of the UE-V service and recovering lost settings. These tasks are explained in the following sections. - -## Managing UE-V configurations - -In the course of the UE-V lifecycle, you'll manage the configuration of the UE-V service and also manage storage locations for resources such as settings package files. - -[Manage Configurations for UE-V](uev-manage-configurations.md) - -## Working with custom UE-V templates and the UE-V template generator - -This topic explains how to use the UE-V template generator and manage custom settings location templates. - -[Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) - -## Back up and restore application and Windows settings that are synchronized with UE-V - -Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore other settings when a user adopts a new device. - -[Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md) - -## Changing the frequency of UE-V scheduled tasks - -You can configure the scheduled tasks that manage when UE-V checks for new or updated settings or for updated custom settings location templates in the settings template catalog. - -[Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md) - -## Migrating UE-V settings packages - -You can relocate the user settings packages either when they migrate to a new server or for backup purposes. - -[Migrating UE-V Settings Packages](uev-migrating-settings-packages.md) - -## Using UE-V with Application Virtualization applications - -You can use UE-V with Microsoft Application Virtualization (App-V) to share settings between virtual applications and installed applications across multiple computers. - -[Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md) - -## Other resources for this feature - -- [User Experience Virtualization for Windows overview](uev-for-windows.md) -- [Get Started with UE-V](uev-getting-started.md) -- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) -- [Troubleshooting UE-V](uev-troubleshooting.md) -- [Technical Reference for UE-V](uev-technical-reference.md) - diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md deleted file mode 100644 index 33f11ea8eb9..00000000000 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ /dev/null @@ -1,744 +0,0 @@ ---- -title: Application Template Schema Reference for UE-V -description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Application Template Schema Reference for UE-V - -User Experience Virtualization (UE-V) uses XML settings location templates to define the desktop application settings and Windows settings that are captured and applied by UE-V. UE-V includes a set of default settings location templates. You can also create custom settings location templates with the UE-V template generator. - -An advanced user can customize the XML file for a settings location template. This topic details the XML structure of the UE-V settings location templates and provides guidance for editing these files. - -## UE-V Application Template Schema Reference - -This section details the XML structure of the UE-V settings location template and provides guidance for editing this file. - -### In This Section - -- [XML Declaration and Encoding Attribute](#xml21) -- [Namespace and Root Element](#namespace21) -- [Data types](#data21) -- [Name Element](#name21) -- [ID Element](#id21) -- [Version Element](#version21) -- [Author Element](#author21) -- [Processes and Process Element](#processes21) -- [Application Element](#application21) -- [Common Element](#common21) -- [SettingsLocationTemplate Element](#settingslocationtemplate21) -- [Appendix: SettingsLocationTemplate.xsd](#appendix21) - -### XML Declaration and Encoding Attribute - -**Mandatory: True** -**Type: String** - -The XML declaration must specify the XML version 1.0 attribute (<?xml version="1.0">). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding isn't explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example: - -`` - -### Namespace and Root Element - -**Mandatory: True** -**Type: String** - -UE-V uses the `https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag: - -```xml - -``` - -### Data types - -These data types are the ones for the UE-V application template schema. - -**GUID** -GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This GUID is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. - -**FilenameString** -FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). - -**IDString** -IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It's restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). - -**TemplateVersion** -TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. - -**Empty** -Empty refers to a null value. This data type is used in Process\\ShellProcess to indicate that there's no process to monitor. This value shouldn't be used in any application templates. - -**Author** -The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. - -**Range** -Range defines an integer class consisting of two child elements: **Minimum** and **Maximum**. This data type is implemented in the ProcessVersion data type. If specified, both Minimum and Maximum values must be included. - -**ProcessVersion** -ProcessVersion defines a type with four child elements: **Major**, **Minor**, **Build**, and **Patch**. This data type is used by the Process element to populate its ProductVersion and FileVersion values. The data for this type is a Range value. The Major child element is mandatory and the others are optional. - -**Architecture** -Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture. - -**Process** -The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element's respective data type: - -|Element|Data Type|Mandatory| -|--- |--- |--- | -|Filename|FilenameString|True| -|Architecture|Architecture|False| -|ProductName|String|False| -|FileDescription|String|False| -|ProductVersion|ProcessVersion|False| -|FileVersion|ProcessVersion|False| - -**Processes** -The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. - -**Path** -Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default="False". - -Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders aren't included. For registry paths, all values in the current path are captured but child registry keys aren't captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. - -The DeleteIfNotFound attribute removes the setting from the user's settings storage path data. This removal may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. - -**FileMask** -FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. - -**RegistrySetting** -RegistrySetting represents a container for registry keys and values and the associated desired behavior on the part of the UE-V service. Four child elements are defined within this type: **Path**, **Name**, **Exclude**, and a sequence of the values **Path** and **Name**. - -**FileSetting** -FileSetting contains parameters associated with files and files paths. Four child elements are defined: **Root**, **Path**, **FileMask**, and **Exclude**. Root is mandatory and the others are optional. - -**Settings** -Settings is a container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings described earlier. In addition, it can also contain the following child elements with behaviors described: - -|Element|Description| -|--- |--- | -|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This element is useful for settings that can be applied asynchronously, such as those settings get/set through an API, like SystemParameterSetting.| -|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to 'false', UE-V exports the settings even if other instances of an application are running. Suited templates - those templates that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| -|AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.| - -### Name Element - -**Mandatory: True** -**Type: String** - -Name specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this referencing can be objected from the ProductVersion element. For example, specify `My Application` rather than `My Application 1.1`. - -> [!NOTE] -> UE-V does not reference external DTDs, so it's not possible to use named entities in a settings location template. For example, do not use ® to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document. - -See for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V template generator converts character entities to their Unicode representations automatically. - -### ID Element - -**Mandatory: True** -**Type: String** - -ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag shouldn't contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `MicrosoftOffice2016Win64`. - -### Version Element - -**Mandatory: True** -**Type: Integer** -**Minimum Value: 0** -**Maximum Value: 2147483647** - -Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `2.5` aren't allowed. - -> [!TIP] -> You can save notes about version changes using XML comment tags ``, for example: - -```xml - -4 -``` - -> [!IMPORTANT] -> This value is queried to determine if a new version of a template should be applied to an existing template in these instances: - -- When the scheduled Template Auto Update task executes -- When the Update-UevTemplate PowerShell cmdlet is executed -- When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI - -### Author Element - -**Mandatory: False** -**Type: String** - -Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly. - -### Processes and Process Element - -**Mandatory: True** -**Type: Element** - -Processes contain at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: - -```xml - - MyApplication.exe - Win64 - MyApplication - MyApplication.exe - - - - - - - - - - - - - -``` - -### Filename - -**Mandatory: True** -**Type: String** - -Filename refers to the actual file name of the executable as it appears in the file system. This element specifies the primary criterion that UE-V uses to evaluate whether a template applies to a process or not. This element must be specified in the settings location template XML. - -Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|<>/:\]+, that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon (the \\ ? \* | < > / or : characters.). - -> [!TIP] -> To test a string against this regex, use a PowerShell command window and substitute your executable's name for **YourFileName**: - -`"YourFileName.exe" -match "[\\\?\*\|<>/:]+"` - -A value of **True** indicates that the string contains illegal characters. Here are some examples of illegal values: - -- \\\\server\\share\\program.exe -- Program\*.exe -- Pro?ram.exe -- Program<1>.exe - -> [!NOTE] -> The UE-V template generator encodes the greater than and less than characters as > and < respectively. - -In rare circumstances, the FileName value won't necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example won't apply the template to the process if the actual name of the executable file is "MyApplication.exe". - -### Architecture - -**Mandatory: False** -**Type: Architecture (String)** - -Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this applicability restriction, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This applicability restriction is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another. - -If this element is absent, the settings location template ignores the process' architecture and applies to both 32-bit and 64-bit processes if the file name and other attributes apply. - -> [!NOTE] -> UE-V does not support ARM processors in this version. - -### ProductName - -**Mandatory: False** -**Type: String** - -ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This flexibility allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: - -```xml - - MyApplication.exe - My Application 6.x by Contoso.com - - - - -``` - -### FileDescription - -**Mandatory: False** -**Type: String** - -FileDescription is an optional tag that allows for an administrative description of the executable file. This tag is a free text field and can be useful in distinguishing multiple executables within a software package where there's a need to identify the function of the executable. - -For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here: - -```xml - - - - MyApplication.exe - My Application Main Engine - - - - - - MyApplicationHelper.exe - My Application Background Process Executable - - - - - -``` - -### ProductVersion - -**Mandatory: False** -**Type: String** - -ProductVersion refers to the major and minor product versions of a file, as well as a build and patch level. ProductVersion is an optional element, but if specified, it must contain at least the Major child element. The value must express a range in the form Minimum="X" Maximum="Y" where X and Y are integers. The Minimum and Maximum values can be identical. - -The product and file version elements may be left unspecified. Doing so makes the template "version agnostic", meaning that the template will apply to all versions of the specified executable. - -**Example 1:** - -Product version: 1.0 specified in the UE-V template generator produces the following XML: - -```xml - - - - -``` - -**Example 2:** - -File version: 5.0.2.1000 specified in the UE-V template generator produces the following XML: - -```xml - - - - - - -``` - -**Incorrect Example 1 - incomplete range:** - -Only the Minimum attribute is present. Maximum must be included in a range as well. - -```xml - - - -``` - -**Incorrect Example 2 - Minor specified without Major element:** - -Only the Minor element is present. Major must be included as well. - -```xml - - - -``` - -### FileVersion - -**Mandatory: False** -**Type: String** - -FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For most of the commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the example of a hotfix or update). This file version uniquely identifies files without breaking detection logic. - -To determine the product version and file version of a particular executable, right-click on the file in Windows Explorer, select Properties, then click on the Details tab. - -Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but isn't necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply. - -The child elements and syntax rules for FileVersion are identical to those elements and rules of ProductVersion. - -```xml - - MSACCESS.EXE - Win32 - - - - - - - - - -``` - -### Application Element - -Application is a container for settings that apply to a particular application. It's a collection of the following fields/types. - -|Field/Type|Description| -|--- |--- | -|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| -|ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| -|Description|An optional description of the template.| -|LocalizedNames|An optional name displayed in the UI, localized by a language locale.| -|LocalizedDescriptions|An optional template description localized by a language locale.| -|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office361. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| -|Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).| -|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".| - -### Common Element - -Common is similar to an Application element, but it's always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It's a collection of the following fields/types. - -|Field/Type|Description| -|--- |--- | -|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| -|ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| -|Description|An optional description of the template.| -|LocalizedNames|An optional name displayed in the UI, localized by a language locale.| -|LocalizedDescriptions|An optional template description localized by a language locale.| -|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office361. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| -|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).| - -### SettingsLocationTemplate Element - -This element defines the settings for a single application or a suite of applications. - -|Field/Type|Description| -|--- |--- | -|Name|Specifies a unique name for the settings location template. This type is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| -|ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| -|Description|An optional description of the template.| -|LocalizedNames|An optional name displayed in the UI, localized by a language locale.| -|LocalizedDescriptions|An optional template description localized by a language locale.| - -### Appendix: SettingsLocationTemplate.xsd - -Here's the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters: - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Related topics - -[Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) -[Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md deleted file mode 100644 index 6a92f5dd46e..00000000000 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ /dev/null @@ -1,109 +0,0 @@ ---- -title: Changing the Frequency of UE-V Scheduled Tasks -description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Changing the Frequency of UE-V Scheduled Tasks - -When the User Experience Virtualization (UE-V) service is enabled, it creates the following scheduled tasks: - -- [Monitor Application Settings](#monitor-application-settings) -- [Sync Controller Application](#sync-controller-application) -- [Synchronize Settings at Logoff](#synchronize-settings-at-logoff) -- [Template Auto Update](#template-auto-update) - -> [!NOTE] -> These tasks must remain enabled, because UE-V cannot function without them. - -These scheduled tasks aren't configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options. - -For more information about Schtasks.exe, see [Schtasks](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725744(v=ws.11)). - -## UE-V Scheduled Tasks - -The following scheduled tasks are included in UE-V with sample scheduled task configuration commands. - -### Monitor Application Settings - -The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It's runs at sign in but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory. - -|Task name|Default event| -|--- |--- | -|\Microsoft\UE-V\Monitor Application Status|Sign in| - -### Sync Controller Application - -The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory. - -|Task name|Default event| -|--- |--- | -|\Microsoft\UE-V\Sync Controller Application|Sign in, and every 30 minutes thereafter| - -For example, the following command configures the agent to synchronize settings every 15 minutes instead of the default 30 minutes. - -```console -Schtasks /change /tn "Microsoft\UE-V\Sync Controller Application" /ri 15 -``` - -### Synchronize Settings at Logoff - -The **Synchronize Settings at Logoff** task is used to start an application at sign in that controls the synchronization of applications at sign out for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory. - -|Task name|Default event| -|--- |--- | -|\Microsoft\UE-V\Synchronize Settings at Logoff|Sign in| - -### Template Auto Update - -The **Template Auto Update** task checks the settings template catalog for new, updated, or removed templates. This task only runs if the SettingsTemplateCatalog is configured. The **Template Auto Update** task runs the ApplySettingsCatalog.exe file, which is located in the UE-V Agent installation directory. - -|Task name|Default event| -|--- |--- | -|\Microsoft\UE-V\Template Auto Update|System startup and at 3:30 AM every day, at a random time within a 1-hour window| - -**Example:** The following command configures the UE-V service to check the settings template catalog store every hour. - -```console -schtasks /change /tn "Microsoft\UE-V\Template Auto Update" /ri 60 -``` - -## UE-V Scheduled Task Details - -The following chart provides additional information about scheduled tasks for UE-V 2: - -|Task Name (file name)|Default Frequency|Power Toggle|Idle Only|Network Connection|Description| -|--- |--- |--- |--- |--- |--- | -|**Monitor Application Settings** (UevAppMonitor.exe)|Starts 30 seconds after sign in and continues until sign out.|No|Yes|N/A|Synchronizes settings for Windows (AppX) apps.| -|**Sync Controller Application** (Microsoft.Uev.SyncController.exe)|At sign in and every 30 min thereafter.|Yes|Yes|Only if Network is connected|Starts the Sync Controller that synchronizes local settings with the settings storage location.| -|**Synchronize Settings at Logoff** (Microsoft.Uev.SyncController.exe)|Runs at sign in and then waits for sign out to Synchronize settings.|No|Yes|N/A|Start an application at sign in that controls the synchronization of applications at sign out.| -|**Template Auto Update** (ApplySettingsCatalog.exe)|Runs at initial sign in and at 3:30 AM every day thereafter.|Yes|No|N/A|Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.| - -**Legend** - -- **Power Toggle** - Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power. -- **Idle Only** - The task will stop running if the computer ceases to be idle. By default the task won't restart when the computer is idle again. Instead the task will begin again on the next task trigger. -- **Network Connection** - Tasks marked "Yes" only run if the computer has a network connection available. Tasks marked "N/A" run regardless of network connectivity. - -### How to Manage Scheduled Tasks - -To find Scheduled Tasks, perform the following steps: - -1. Open "Schedule Tasks" on the user computer. -1. Navigate to: Task Scheduler -> Task Scheduler Library -> Microsoft -> UE-V -1. Select the scheduled task you wish to manage and configure in the details pane. - -### Additional information - -The following additional information applies to UE-V scheduled tasks: - -- All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default. -- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to "SyncProvider" (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings don't synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute. You can also increase the 30-min default to a higher amount if necessary. -- You don't need to disable the Template Auto Update scheduled task if you use another method to keep the clients' templates in sync (that is, Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. -- The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. - -## Related topics - -[Administering UE-V](uev-administering-uev.md) -[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md) diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md deleted file mode 100644 index c238ec602f3..00000000000 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Configuring UE-V with Group Policy Objects -description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Configuring UE-V with Group Policy Objects - -Some User Experience Virtualization (UE-V) Group Policy settings can be defined for computers, and other Group Policy settings can be defined for users. The Group Policy administrative templates for these settings are included in Windows 10, version 1607. - -The following policy settings can be configured for UE-V. - -### Group Policy settings - -|Group Policy setting name|Target|Group Policy setting description|Configuration options| -|--- |--- |--- |--- | -|Do not use the sync provider|Computers and Users|By using this Group Policy setting, you can configure whether UE-V uses the sync provider feature. This policy setting also lets you enable notification to appear when the import of user settings is delayed.|Enable this setting to configure the UE-V service not to use the sync provider.| -|First Use Notification|Computers Only|This Group Policy setting enables a notification in the notification area that appears when the UE-V service runs for the first time.|The default is enabled.| -|Synchronize Windows settings|Computers and Users|This Group Policy setting configures the synchronization of Windows settings.|Select which Windows settings synchronize between computers.
    By default, Windows themes, desktop settings, and Ease of Access settings synchronize settings between computers of the same operating system version.| -|Settings package size warning threshold|Computers and Users|This Group Policy setting lets you configure the UE-V service to report when a settings package file size reaches a defined threshold.|Specify the preferred threshold for settings package sizes in kilobytes (KB).
    By default, the UE-V service does not have a package file size threshold.| -|Settings storage path|Computers and Users|This Group Policy setting configures where the user settings are to be stored.|Enter a Universal Naming Convention (UNC) path and variables such as \Server\SettingsShare%username%.| -|Settings template catalog path|Computers Only|This Group Policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog is to be used to replace the default Microsoft templates that are installed with the UE-V service.|Enter a Universal Naming Convention (UNC) path such as \Server\TemplateShare or a folder location on the computer.
    Select the check box to replace the default Microsoft templates.| -|Sync settings over metered connections|Computers and Users|This Group Policy setting defines whether UE-V synchronizes settings over metered connections.|By default, the UE-V service does not synchronize settings over a metered connection.| -|Sync settings over metered connections even when roaming|Computers and Users|This Group Policy setting defines whether UE-V synchronizes settings over metered connections outside of the home provider network, for example, when the data connection is in roaming mode.|By default, UE-V does not synchronize settings over a metered connection when it is in roaming mode.| -|Synchronization timeout|Computers and Users|This Group Policy setting configures the number of milliseconds that the computer waits before a time-out when it retrieves user settings from the remote settings location. If the remote storage location is unavailable, and the user does not use the sync provider, the application start is delayed by this many milliseconds.|Specify the preferred synchronization time-out in milliseconds. The default value is 2000 milliseconds.| -|Tray Icon|Computers Only|This Group Policy setting enables the User Experience Virtualization (UE-V) tray icon.|This setting only has an effect for UE-V 2.x and earlier. It has no effect for UE-V in Windows 10, version 1607.| -|Use User Experience Virtualization (UE-V)|Computers and Users|This Group Policy setting lets you enable or disable User Experience Virtualization (UE-V).|This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the **Enable UE-V** setting.| -|Enable UE-V|Computers and Users|This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect.|This setting only has an effect for UE-V in Windows 10, version 1601. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting.| - ->[!NOTE] ->In addition, Group Policy settings are available for many desktop applications and Windows apps. You can use these settings to enable or disable settings synchronization for specific applications. - -### Windows App Group Policy settings - -|Group Policy setting name|Target|Group Policy setting description|Configuration options| -|--- |--- |--- |--- | -|Do not synchronize Windows Apps|Computers and Users|This Group Policy setting defines whether the UE-V service synchronizes settings for Windows apps.|The default is to synchronize Windows apps.| -|Windows App List|Computer and User|This setting lists the family package names of the Windows apps and states expressly whether UE-V synchronizes that app's settings.|You can use this setting to specify that settings of an app are never synchronized by UE-V, even if the settings of all other Windows apps are synchronized.| -|Sync Unlisted Windows Apps|Computer and User|This Group Policy setting defines the default settings sync behavior of the UE-V service for Windows apps that are not explicitly listed in the Windows app list.|By default, the UE-V service only synchronizes settings of those Windows apps that are included in the Windows app list.| - -For more information about synchronizing Windows apps, see [Windows App List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist). - -**To configure computer-targeted Group Policy settings** - -1. Use the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) on the computer that acts as a domain controller to manage Group Policy settings for UE-V computers. Navigate to **Computer configuration**, select **Policies**, select **Administrative Templates**, click **Windows Components**, and then select **Microsoft User Experience Virtualization** -1. Select the Group Policy setting to be edited - -**To configure user-targeted Group Policy settings** - -1. Use the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) tool in Microsoft Desktop Optimization Pack (MDOP) on the domain controller computer to manage Group Policy settings for UE-V. Navigate to **User configuration**, select **Policies**, select **Administrative Templates**, click **Windows Components**, and then select **Microsoft User Experience Virtualization** -1. Select the edited Group Policy setting - -The UE-V service uses the following order of precedence to determine synchronization. - -**Order of precedence for UE-V settings** - -1. User-targeted settings that are managed by Group Policy settings - These configuration settings are stored in the registry key by Group Policy under `HKEY_CURRENT_USER\Software\Policies\Microsoft\Uev\Agent\Configuration` -1. Computer-targeted settings that are managed by Group Policy settings - These configuration settings are stored in the registry key by Group Policy under `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Uev\Agent\Configuration` -1. Configuration settings that are defined by the current user by using Windows PowerShell or Windows management Instrumentation (WMI) - These configuration settings are stored by the UE-V service under this registry location: `HKEY_CURRENT_USER\Software\Microsoft\Uev\Agent\Configuration` -1. Configuration settings that are defined for the computer by using Windows PowerShell or WMI. These configuration settings are stored by the UE-V service under this registry location: `HKEY_LOCAL_MACHINE\Software\Microsoft\Uev\Agent\Configuration` - -## Related topics - -[Administering UE-V](uev-administering-uev.md) -[Manage Configurations for UE-V](uev-manage-configurations.md) diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md deleted file mode 100644 index 6aa403bde3d..00000000000 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: Configuring UE-V with Microsoft Configuration Manager -description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Configuring UE-V with Microsoft Configuration Manager - -After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. - -## UE-V Configuration Pack supported features - -The UE-V Configuration Pack includes tools to: - -- Create or update UE-V settings location template distribution baselines - - Define UE-V templates to be registered or unregistered - - Update UE-V template configuration items and baselines as templates are added or updated - - Distribute and register UE-V templates using standard Configuration Item remediation -- Create or update a UE-V Agent policy configuration item to set or clear these settings - - |Configuration|Setting|Description| - |--- |--- |--- | - |Max package size|Enable/disable Windows app sync|Wait for sync on application start| - |Setting import delay|Sync unlisted Windows apps|Wait for sync on sign in| - |Settings import notification|IT contact URL|Wait for sync timeout| - |Settings storage path|IT contact descriptive text|Settings template catalog path| - |Sync enablement|Tray icon enabled|Start/Stop UE-V agent service| - |Sync method|First use notification|Define which Windows apps will roam settings| - |Sync timeout||| - -- Verify compliance by confirming that UE-V is running. - -## Generate a UE-V service policy configuration item - -All UE-V service policy and configuration is distributed through a single configuration item that is generated using the UevAgentPolicyGenerator.exe tool. This tool reads the desired configuration from an XML configuration file and creates a CI containing the discovery and remediation settings needed to bring the machine into compliance. - -The UE-V service policy configuration item CAB file is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters: - -- Site <site code> -- PolicyName <name> Optional: Defaults to "UE-V Agent Policy" if not present -- PolicyDescription <description> Optional: A description is provided if not present -- CabFilePath <full path to configuration item .CAB file> -- ConfigurationFile <full path to agent configuration XML file> - -> [!NOTE] -> It might be necessary to change the PowerShell execution policy to allow these scripts to run in your environment. Perform these steps in the Configuration Manager console: - -1. Select **Administration > Client Settings > Properties** -1. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass** - -**Create the first UE-V policy configuration item** - -1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console: - - ```cmd - C:\Program Files (x86)\Windows Kits\10\Microsoft User Experience Virtualization\Management\AgentConfiguration.xml - ``` - - The default configuration file contains five sections: - - **Computer Policy** - - All UE-V machine level settings. The DesiredState attribute can be - - - **Set** to have the value assigned in the registry - - **Clear** to remove the setting - - **Unmanaged** to have the configuration item left at its current state - - Don't remove lines from this section. Instead, set the DesiredState to `Unmanaged` if you don't want Configuration Manager to alter current or default values. - - **CurrentComputerUserPolicy** - - All UE-V user level settings. These entries override the machine settings for a user. The DesiredState attribute can be - - - **Set** to have the value assigned in the registry - - **Clear** to remove the setting - - **Unmanaged** to have the configuration item left at its current state - - Don't remove lines from this section. Instead, set the DesiredState to 'Unmanaged' if you don't want Configuration Manager to alter current or default values. - - **Services** - - Entries in this section control service operation. The default configuration file contains a single entry for the UevAgentService. The DesiredState attribute can be set to **Running** or **Stopped**. - - **Windows8AppsComputerPolicy** - - All machine level Windows app synchronization settings. Each PackageFamilyName listed in this section can be assigned a DesiredState of - - - **Enabled** to have settings roam - - **Disabled** to prevent settings from roaming - - **Cleared** to have the entry removed from UE-V control - - More lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. - - **Windows8AppsCurrentComputerUserPolicy** - - Identical to the Windows8AppsComputerPolicy with settings that override machine settings for an individual user. - -1. Edit the configuration file by changing the desired state and value fields. -1. Run this command on a machine running the ConfigMgr Admin Console: - ```cmd - C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevAgentPolicyGenerator.exe -Site ABC -CabFilePath "C:\MyCabFiles\UevPolicyItem.cab" -ConfigurationFile "c:\AgentConfiguration.xml" - ``` -1. Import the CAB file using ConfigMgr console or PowerShell Import-CMConfigurationItem - -**Update a UE-V Policy Configuration Item** - -1. Edit the configuration file by changing the desired state and value fields. -1. Run the command from Step 3 in [Create the First UE-V Policy Configuration Item](#create). If you changed the name with the PolicyName parameter, make sure you enter the same name. -1. Reimport the CAB file. The version in ConfigMgr will be updated. - -## Generate a UE-V Template Baseline - -UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality. - -The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters: - -- Site <site code> -- BaselineName <name> (Optional: defaults to "UE-V Template Distribution Baseline" if not present) -- BaselineDescription <description> (Optional: a description is provided if not present) -- TemplateFolder <UE-V template folder> -- Register <comma separated template file list> -- Unregister <comma separated template list> -- CabFilePath <Full path to baseline CAB file to generate> - -The result is a baseline CAB file that is ready for import into Configuration Manager. If at a future date, you update or add a template, you can rerun the command using the same baseline name. Importing the CAB results in CI version updates on the changed templates. - -### Create the First UE-V Template Baseline - -1. Create a "master" set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they're pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates. -1. Create a text.bat file where you can add the template generator command. This step is optional, but will make regeneration simpler if you save the command parameters -1. Add the command and parameters to the .bat file that will generate the baseline. The following example creates a baseline that distributes Notepad and Calculator: - ```cmd - C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevTemplateBaselineGenerator.exe -Site "ABC" -TemplateFolder "C:\ProductionUevTemplates" -Register "MicrosoftNotepad.xml, MicrosoftCalculator.xml" -CabFilePath "C:\MyCabFiles\UevTemplateBaseline.cab" - ``` -1. Run the .bat file to create UevTemplateBaseline.cab ready for import into Configuration Manager - -### Update a UE-V Template Baseline - -The template generator uses the template version to determine if a template should be updated. If you make a template change and update the version, the baseline generator compares the template in your master folder with the template contained in the CI on the ConfigMgr server. If a difference is found, the generated baseline and modified CI versions are updated. - -To distribute a new Notepad template, you would perform these steps: - -1. Update the template and template version located in the <Version> element of the template -1. Copy the template to your master template directory -1. Run the command in the .bat file that you created in Step 3 in [Create the First UE-V Template Baseline](#create2) -1. Import the generated CAB file into ConfigMgr using the console or PowerShell Import-CMBaseline - -## Related articles - -[Manage Configurations for UE-V](uev-manage-configurations.md) diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md deleted file mode 100644 index a349f9b2a39..00000000000 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Deploy required UE-V features -description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Deploy required UE-V features - -To get up and running with User Experience Virtualization (UE-V), install and configure the following features. - -- [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users. - This feature is a standard network share that stores and retrieves user settings. -- [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v) - You can deploy and configure UE-V with common management tools including group policy, Configuration Manager, or Windows Management Infrastructure and PowerShell. -- [Enable the UE-V service](#enable-the-ue-v-service) on user devices. - With Windows 10, version 1607, UE-V is installed automatically. You need to enable the UE-V service on each user device you want to include in your UE-V environment. - -The articles in this section describe how to deploy these features. - -## Deploy a UE-V Settings Storage Location - -UE-V requires a location in which to store user settings in settings package files. You can configure this settings storage location in one of these ways: - -- Create your own settings storage location -- Use existing Active Directory for your settings storage location - -> [!NOTE] -> As a matter of [performance and capacity planning](uev-prepare-for-deployment.md#performance-and-capacity-planning) and to reduce problems with network latency, create settings storage locations on the same local networks where the users' devices reside. We recommend 20 MB of disk space per user for the settings storage location. - -### Create a UE-V Settings Storage Location - -Before you define the settings storage location, you must create a root directory with read/write permissions for users who store settings on the share. The UE-V service creates user-specific folders under this root directory. - -The settings storage location is defined by setting the SettingsStoragePath configuration option, which you can configure by using one of these methods: - -- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V -- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) - - The path must be in a universal naming convention (UNC) path of the server and share. For example, **\\Server\Settingsshare\**. This configuration option supports the use of variables to enable specific synchronization scenarios. For example, you can use the %username%\%computername% variables to preserve the end user settings experience in these scenarios: - -- End users that use multiple physical devices in your enterprise -- Enterprise computers that are used by multiple end users - -The UE-V service dynamically creates a user-specific settings storage path, with a hidden system folder named **SettingsPackages**, based on the configuration setting of **SettingsStoragePath**. The service reads and writes settings to this location as defined by the registered UE-V settings location templates. - -**UE-V settings are determined by a "Last write wins" rule:** If the settings storage location is the same for a user with multiple managed computers, one UE-V service reads and writes to the settings location independently of services running on other computers. The last written settings and values are the ones applied when the service next reads from the settings storage location. - -**Deploy the settings storage location:** Follow these steps to define the settings storage location rather than using your existing Active Directory agent. You should limit access to the settings storage share to those users that require it, as shown in the tables below. - -**To deploy the UE-V network share** - -1. Create a new security group for UE-V users. -1. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. -1. Set the following share-level Server Message Block (SMB) permissions for the settings storage location folder. - - | **User account** | **Recommended permissions** | - |------------------------------|-----------------------------| - | Everyone | No permissions | - | Security group of UE-V users | Full control | - -1. Set the following NTFS file system permissions for the settings storage location folder. - - | **User account** | **Recommended permissions** | **Folder** | - |------------------------------|---------------------------------------------------|---------------------------| - | Creator/owner | Full control | Subfolders and files only | - | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | - -With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users can't access it. - -> [!NOTE] -> If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this extra security, specify this setting in the Windows Server Registry Editor: -> -> 1. Add a **REG_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration** -> 1. Set the registry key value to *1* - -### Use Active Directory with UE-V - -The UE-V service uses Active Directory (AD) by default if you don't define a settings storage location. In these cases, the UE-V service dynamically creates the settings storage folder under the root of the AD home directory of each user. However, if a custom directory setting is configured in AD, then that directory is used instead. - -## Choose the Configuration Method for UE-V - -You'll need to decide which configuration method you'll use to manage UE-V after deployment since this configuration method is the one you'll use to deploy the UE-V Agent. Typically, this configuration method is the one that you already use in your environment, such as Windows PowerShell or Configuration Manager. - -You can configure UE-V before, during, or after you enable the UE-V service on user devices, depending on the configuration method that you use. - -- [**Group Policy**](uev-configuring-uev-with-group-policy-objects.md) You can use your existing Group Policy infrastructure to configure UE-V before or after you enable the UE-V service. The UE-V Group Policy ADMX template enables the central management of common UE-V service configuration options and includes settings to configure UE-V synchronization. - - > [!NOTE] - > Starting with Windows 10, version 1607, UE-V ADMX templates are installed automatically. - - Group Policy ADMX templates configure the synchronization settings for the UE-V service and enable the central management of common UE-V service configuration settings by using an existing Group Policy infrastructure. - Supported operating systems for the domain controller that deploys the Group Policy Objects include: - Windows Server 2012 and Windows Server 2012 R2 - -- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. -- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service. - -> [!NOTE] -> Registry modification can result in data loss, or the computer becomes unresponsive. We recommend that you use other configuration methods. - -## Enable the UE-V service - -The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. - -Before enabling the UE-V service, you need to register the UE-V templates for first time use. In a PowerShell window, type **register-<TemplateName>** where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. - -> [!NOTE] -> With Windows 10, version 1607, you must register UE-V templates for all inbox and custom templates. This provides flexibility for only deploying the required templates. - -With Windows 10, version 1607 and later, the UE-V service is installed on user devices. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. - -**To enable the UE-V service with Group Policy** - -1. Open the device's **Group Policy Editor** -1. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization** -1. Run **Enable UEV** -1. Restart the device - -**To enable the UE-V service with Windows PowerShell** - -1. In a PowerShell window, type **Enable-UEV** and press ENTER -1. Restart the device -1. In a PowerShell window, type **Get-UEVStatus** and press ENTER to verify that the UE-V service was successfully enabled - -## Related articles - -[Prepare a UE-V deployment](uev-prepare-for-deployment.md) -[Deploy UE-V for use with custom applications](uev-deploy-uev-for-custom-applications.md) -[Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md deleted file mode 100644 index 6018becc895..00000000000 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ /dev/null @@ -1,198 +0,0 @@ ---- -title: Use UE-V with custom applications -description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Use UE-V with custom applications - -User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those settings included in the default templates, you can create your own custom settings location templates with the UE-V template generator. - -After you've reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (for example, third-party, line-of-business), you'll need to deploy the features of UE-V described in this topic. - -To start, here are the main steps required to synchronize settings for custom applications: - -- [Install the UE-V template generator](#install-the-uev-template-generator) - Use the UEV template generator to create custom XML settings location templates. -- [Configure a UE-V settings template catalog](#deploy-a-settings-template-catalog) - You can define this path where custom settings location templates are stored. -- [Create custom settings location templates](#create-custom-settings-location-templates) - These custom templates let users sync settings for custom applications. -- [Deploy the custom settings location templates](#deploy-the-custom-settings-location-templates) - -After you test the custom template to ensure that settings are synced correctly, you can deploy these templates in one of these ways: - -- With your existing electronic software distribution solution, such as Configuration Manager -- With Group Policy preferences -- With a UE-V settings template catalog - -> [!NOTE] -> Templates that are deployed with electronic software distribution methods or Group Policy must be registered with UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. - -## Prepare to deploy UE-V for custom applications - -Before you start deploying the UE-V features that handle custom applications, review the following important information. - -### The UE-V template generator - -Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator doesn't create settings location templates for the following types of applications: - -- Virtualized applications -- Applications that are offered through Terminal Services -- Java applications -- Windows applications - -> [!NOTE] -> UE-V settings location templates can't be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). - -**Excluded Locations:** The discovery process excludes locations that commonly store application software files that don't synchronize settings well between user computers or computing environments. By default, these files are excluded: - -- HKEY_CURRENT_USER registry keys and files to which the signed-in user can't write values -- HKEY_CURRENT_USER registry keys and files that are associated with the core functionality of the Windows operating system -- All registry keys that are located in the HKEY_LOCAL_MACHINE hive -- Files that are located in Program Files directories -- Files that are located in Users \ [User name] \ AppData \ LocalLow -- Windows operating system files that are located in %Systemroot% - -If registry keys and files that are stored in excluded locations are required to synchronize application settings, you can manually add the locations to the settings location template during the template creation process. - -### Replace the default Microsoft templates - -A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1601. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you'll need to include the default templates with the custom templates in the settings template catalog. - -> [!IMPORTANT] -> After you enable the UE-V service, you'll need to register the settings location templates using the `Register-UevTemplate` cmdlet in Windows PowerShell. - -When you use Group Policy to configure the settings template catalog path, you can choose to replace the default Microsoft templates. If you configure the policy settings to replace the default Microsoft templates, all of the default Microsoft templates that are installed with Windows 10, version 1607 are deleted and only the templates that are located in the settings template catalog are used. - -> [!NOTE] -> If there are customized templates in the settings template catalog that use the same ID as the default Microsoft templates, the Microsoft templates are ignored. - -You can replace the default templates by using the UE-V Windows PowerShell features. To replace the default Microsoft template with Windows PowerShell, unregister all of the default Microsoft templates, and then register the customized templates. - -Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages aren't read by the UE-V service, but neither are they automatically deleted. - -### Install the UEV template generator - -Use the UE-V template generator to create custom settings location templates that you can then distribute to user devices. You can also use the template generator to edit an existing template or validate a template that was created with another XML editor. - -The UE-V template generator is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10. - -Install the UE-V template generator on a computer that you can use to create a custom settings location template. This computer should have the applications installed for which custom settings location templates need to be generated. - -> [!IMPORTANT] -> UE-V for Windows 10, version 1607 includes a new template generator. If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. Templates created with previous versions of the UE-V template generator will continue to work. - -To install the UE-V template generator: - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) to access the ADK. -1. Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the window pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select Install. - - - -![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png) - -1. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. -1. See [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) for information about how to use the template generator. - -### Deploy a settings template catalog - -The UE-V settings template catalog is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores all the custom settings location templates. The UE-V service checks this location one time each day and updates its synchronization behavior, based on the templates in this folder. - -The UE-V service checks this folder for templates that were added, updated, or removed. It registers new and changed templates and unregisters removed templates. By default, templates are registered and unregistered one time per day at 3:30 A.M. local time by the Task Scheduler and at system startup. To customize the frequency of this scheduled task, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md). - -You can configure the settings template catalog path with command-line options, Group Policy, WMI, or Windows PowerShell. Templates stored at the settings template catalog path are automatically registered and unregistered by a scheduled task. - -To configure the settings template catalog for UE-V: - -1. Create a new folder on the computer that stores the UE-V settings template catalog. -1. Set the following share-level (SMB) permissions for the settings template catalog folder. - - | **User account** | **Recommended permissions** | - |------------------|------------------------------| - | Everyone | No Permissions | - | Domain Computers | Read Permission Levels | - | Administrators | Read/Write Permission Levels | - -1. Set the following NTFS file system permissions for the settings template catalog folder. - - | **User account** | **Recommended permissions** | **Apply to** | - |------------------|-------------------------------|-----------------------------------| - | Creator/Owner | Full Control | This Folder, Subfolders and Files | - | Domain Computers | List Folder Contents and Read | This Folder, Subfolders and Files | - | Everyone | No Permissions | No Permissions | - | Administrators | Full Control | This Folder, Subfolders and Files | - -1. Click **OK** to close the dialog boxes. - -At a minimum, the network share must grant permissions for the Domain Computers group. In addition, grant access permissions for the network share folder to administrators who are to manage the stored templates. - -### Create custom settings location templates - -Use the UE-V template generator to create settings location templates for line-of-business applications or other custom applications. After you create the template for an application, deploy it to computers to synchronize settings for that application. - -To create a UE-V settings location template with the UE-V template generator: - -1. Click **Start** > **All Programs** > **Microsoft User Experience Virtualization** > **Microsoft User Experience Virtualization template generator**. -1. Click **Create a settings location template**. -1. Specify the application. Browse to the file path of the application (.exe) or the application shortcut (.lnk) for which you want to create a settings location template. Specify the command-line arguments, if any, and working directory, if any. -1. Click **Next** to continue. - - >**Note** Before the application is started, the system displays a prompt for **User Account Control**. Permission is required to monitor the registry and file locations that the application uses to store settings. - -1. After the application starts, close the application. The UE-V template generator records the locations where the application stores its settings. -1. After the process is completed, click **Next** to continue. - -1. Review and select the appropriate registry settings locations and settings file locations to synchronize for this application. The list includes the following two categories for settings locations: - - - **Standard**: Application settings that are stored in the registry under the HKEY_CURRENT_USER keys or in the file folders under \ **Users** \ [User name] \ **AppData** \ **Roaming**. The UE-V template generator includes these settings by default. - - **Nonstandard**: Application settings that are stored outside the locations are specified in the best practices for settings data storage (optional). These include files and folders under **Users** \ [User name] \ **AppData** \ **Local**. Review these locations to determine whether to include them in the settings location template. Select the locations check boxes to include them. - -1. Click **Next** to continue. -1. Review and edit any **Properties**, **Registry** locations, and **Files** locations for the settings location template. - - - Edit the following properties on the **Properties** tab: - - - **Application Name**: The application name that is written in the description of the program files properties. - - **Program name**: The name of the program that is taken from the program file properties. This name usually has the .exe file name extension. - - **Product version**: The product version number of the .exe file of the application. This property, in conjunction with the **File version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the product. - - **File version**: The file version number of the .exe file of the application. This property, in conjunction with the **Product version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the program. - - **template author name** (optional): The name of the settings location template author. - - **template author email** (optional): The email address of the settings location template author. - - The **Registry** tab lists the **Key** and **Scope** of the registry locations that are included in the settings location template. Edit the registry locations by using the **Tasks** drop-down menu. Tasks enable you to add new keys, edit the name or scope of existing keys, delete keys, and browse the registry where the keys are located. Use the **All Settings** scope to include all the registry settings under the specified key. Use the **All Settings and Subkeys** to include all the registry settings under the specified key, subkeys, and subkey settings. - - The **Files** tab lists the file path and file mask of the file locations that are included in the settings location template. Edit the file locations by use of the **Tasks** drop-down menu. Tasks for file locations enable you to add new files or folder locations, edit the scope of existing files or folders, delete files or folders, and open the selected location in Windows Explorer. Leave the file mask empty to include all files in the specified folder. -1. Click **Create**, and then click **Save** to save the settings location template on the computer. -1. Click **Close** to close the settings template wizard. Exit the UE-V template generator application. -1. After you've created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise. - -See [Application template schema reference for UE-V](uev-application-template-schema-reference.md) for details about the XML structure of the UE-V settings location template and for guidance about editing these files. - -### Deploy the Custom Settings Location templates - -After you create a settings location template with the UE-V template generator, you should test it to ensure that the application settings are synchronized correctly. You can then safely deploy the settings location template to user devices in the enterprise. - -You can deploy settings location templates using of these methods: - -- An electronic software distribution (ESD) system such as Microsoft Configuration Manager -- Group Policy preferences -- A UE-V settings template catalog - -Templates that are deployed by using an ESD system or Group Policy objects must be registered using UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. Templates that are stored in the settings template catalog location are automatically registered by the UE-V service. - -To deploy UE-V settings location templates with a settings template catalog path: - -1. Browse to the network share folder that you defined as the settings template catalog. -1. Add, remove, or update settings location templates in the settings template catalog to reflect the UE-V service template configuration that you want for UE-V computers. - > [!NOTE] - > Templates on computers are updated daily. The update is based on changes to the settings template catalog. -1. To manually update templates on a computer that runs the UE-V service, open an elevated command prompt, and browse to **Program Files\Microsoft User Experience Virtualization \ Agent \ <x86 or x64 >**, and then run **ApplySettingstemplateCatalog.exe**. - > [!NOTE] - > This program runs automatically during computer startup and daily at 3:30 A. M. to gather any new templates that were recently added to the catalog. - -## Related topics - -- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) -- [Deploy Required UE-V Features](uev-deploy-required-features.md) diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md deleted file mode 100644 index e65d1235967..00000000000 --- a/windows/configuration/ue-v/uev-for-windows.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: User Experience Virtualization for Windows 10, version 1607 -description: Overview of User Experience Virtualization for Windows 10, version 1607 -ms.date: 1/25/2024 -ms.topic: article ---- - -# User Experience Virtualization (UE-V) for Windows 10 overview - -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. - -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. - -**With UE-V you can…** - -- Specify which application and Windows settings synchronize across user devices -- Deliver the settings anytime and anywhere users work throughout the enterprise -- Create custom templates for your third-party or line-of-business applications -- Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state - -With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you'll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. - -## Components of UE-V - -The diagram below illustrates how UE-V components work together to synchronize user settings. - -UE-V architecture, with server share, desktop, and UE-V service - - - -| **Component** | **Function** | -|--|--| -| **UE-V service** | Enabled on every device that needs to synchronize settings, the **UE-V service** monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. | -| **Settings packages** | Application settings and Windows settings are stored in **settings packages** created by the UE-V service. Settings packages are built, locally stored, and copied to the settings storage location.
    The setting values for **desktop applications** are stored when the user closes the application.
    Values for **Windows settings** are stored when the user logs off, when the computer is locked, or when the user disconnects remotely from a computer.
    The sync provider determines when the application or operating system settings are read from the **Settings Packages** and synchronized. | -| **Settings storage location** | This is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. | -| **Settings location templates** | UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#manage-settings-synchronization-for-custom-applications).
    **Note**  Settings location templates are not required for Windows applications. | -| **Universal Windows applications list** | Settings for Windows applications are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
    You can add or remove applications in the Windows app list by following the procedures in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). | - -## Manage settings synchronization for custom applications - -Use these UE-V components to create and manage custom templates for your third-party or line-of-business applications. - -| Component | Description | -|--|--| -| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor.
    With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
    If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. | -| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.
    If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md). | - - - -![UE-V template generator process.](images/uev-generator-process.png) - -## Settings synchronized by default - -UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](uev-prepare-for-deployment.md). - -- Microsoft Office 2016, 2013, and 2010 -- Internet Explorer 11 and 10 -- Many Windows applications, such as Xbox -- Many Windows desktop applications, such as Notepad -- Many Windows settings, such as desktop background or wallpaper - -> [!NOTE] -> You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-applications.md) for applications other than those synchronized by default. - -## Other resources for this feature - -- [Get Started with UE-V for Windows 10](uev-getting-started.md) -- [UE-V for Windows 10 Release Notes](uev-release-notes-1607.md) -- [Prepare to deploy UE-V for Windows 10](uev-prepare-for-deployment.md) -- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administer UE-V for Windows 10](uev-administering-uev.md) -- [Technical Reference for UE-V for Windows 10](uev-technical-reference.md) - -For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md deleted file mode 100644 index 03d142d4b2a..00000000000 --- a/windows/configuration/ue-v/uev-getting-started.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -title: Get Started with UE-V -description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Get Started with UE-V - ->[!NOTE] ->This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2). - -Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it's the right solution to manage user settings across multiple devices within your enterprise. - ->[!NOTE] ->The information in this section is explained in greater detail throughout the rest of the documentation. If you've already determined that UE-V is the right solution and you don't need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). - -The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access. - -- [Step 1: Confirm prerequisites](#step-1-confirm-prerequisites). Review the supported configurations in this section to verify that your environment is able to run UE-V. -- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values. -- [Step 3: Enable and configure the UE-V service](#step-3-enable-and-configure-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running. -- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization's needs. -- Step 5: Deploy UE-V for custom applications (optional). If you want to evaluate how your third-party and line-of-business applications work with UE-V, follow the steps in [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). Following this link takes you to another topic. Use your browser's **Back** button to return to this topic. - -## Step 1: Confirm prerequisites - -Before you proceed, ensure that your environment meets the following requirements for running UE-V. - -| **Operating system** | **Edition** | **Service pack** | **System architecture** | **Windows PowerShell** | **Microsoft .NET Framework** | -|--|--|--|--|--|--| -| Windows 10, version 1607 | Windows 10 Enterprise | NA | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4 or higher | -| Windows 8 and Windows 8.1 | Enterprise or Pro | None | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 | -| Windows Server 2012 or Windows Server 2012 R2 | Standard or Datacenter | None | 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 | - -## Step 2: Deploy the settings storage location - -You'll need to deploy a settings storage location, a standard network share where user settings are stored in a settings package file. When you create the settings storage share, you should limit access to users that require it. For more information, see [Deploy a UE-V Settings Storage Location](uev-deploy-required-features.md#deploy-a-ue-v-settings-storage-location). - -**Create a network share** - -1. Create a new security group and add UE-V users to the group. -1. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. -1. Assign UE-V users permission to create a directory when they connect. Grant full permission to all subdirectories of that directory, but block access to anything above. -1. Set the following share-level Server Message Block (SMB) permissions for the settings storage location folder. - - | **User account** | **Recommended permissions** | - |--|--| - | Everyone | No permissions | - | Security group of UE-V users | Full control | - -1. Set the following NTFS file system permissions for the settings storage location folder. - - | **User account** | **Recommended permissions** | **Folder** | - |--|--|--| - | Creator/owner | Full control | Subfolders and files only | - | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | - -**Security Note**  If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: - -1. Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**. -1. Set the registry key value to *1*. - -## Step 3: Enable and configure the UE-V service on user devices - -For evaluation purposes, enable the service on at least two devices that belong to the same user in your test environment. - -The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. - -Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command: -`Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}` - -A storage path must be configured on the client-side to tell where the personalized settings are stored. - -**To set the storage path for UE-V with Group Policy** - -1. Open the device's **Group Policy Editor**. -1. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization**. -1. Double click **Settings storage path**. -1. Select **Enabled**, fill in the **Settings storage path**, and click **OK**. - - - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. - -**To set the storage path for UE-V with PowerShell** - -1. In a PowerShell window, type **Set-uevConfiguration -SettingsStoragePath [StoragePath]** where **[StoragePath]** is the path to the location created in step 2 followed by **\%username%**. - - - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. - -With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. - -**To enable the UE-V service with Group Policy** - -1. Open the device's **Group Policy Editor**. -1. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization**. -1. Double click **Use User Experience Virtualization (UE-V)**. -1. Select **Enabled** and click **OK**. -1. Restart the device. - -**To enable the UE-V service with Windows PowerShell** - -1. In a PowerShell window, type **Enable-UEV** and press ENTER. -1. Restart the device. -1. In a PowerShell window, type **Get-UEVStatus** and press ENTER to verify that the UE-V service was successfully enabled. - -## Step 4: Test your UE-V evaluation deployment - -You're ready to run a few tests on your UE-V evaluation deployment to see how UE-V works. - -1. On the first device (Computer A), make one or more of these changes: - - Open Windows Desktop and move the taskbar to a different location in the window. - - Change the default fonts. - - Open Notepad and set format -> word wrap **on**. - - Change the behavior of any Windows application, as detailed in [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). - - - Disable Microsoft Account settings synchronization and roaming profiles. - -1. Log off Computer A. Settings are saved in a UE-V settings package when users lock, logoff, exit an application, or when the sync provider runs (every 30 minutes by default). -1. Log in to the second device (Computer B) as the same user as Computer A. -1. Open Windows Desktop and verify that the taskbar location matches that of Computer A. Verify that the default fonts match and that NotePad is set to **word wrap on**. Also verify the change you made to any Windows applications. -1. You can change the settings in Computer B back to the original Computer A settings. Then log off Computer B and log in to Computer A to verify the changes. - -For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). - -## Other resources for this feature - -- [User Experience Virtualization overview](uev-for-windows.md) -- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) -- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administering UE-V](uev-administering-uev.md) -- [Troubleshooting UE-V](uev-troubleshooting.md) -- [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md deleted file mode 100644 index 48e3c7c9594..00000000000 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: Manage Administrative Backup and Restore in UE-V -description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Manage Administrative Backup and Restore in UE-V - -As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore more settings when a user adopts a new device. - -## Restore Settings in UE-V when a User Adopts a New Device - -To restore settings when a user adopts a new device, you can put a settings location template in a **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This setup lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To back up settings for a template, use the following cmdlet in Windows PowerShell: - -```powershell -Set-UevTemplateProfile -ID -Profile -``` - -- <TemplateID> is the UE-V Template ID -- <backup> can either be Backup or Roaming - -When a user's device is being replaced, UE-V automatically restores settings if the user's domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. - -You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: - -```powershell -Restore-UevBackup -ComputerName -``` - -where <ComputerName> is the computer name of the device. - -Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings can't be included in a roaming profile. - -As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to the options for rolling back to settings. In this release, you can roll back to either the original settings or LKG settings. The LKG settings let users roll back to an intermediate and stable point ahead of the pre-UE-V state of the settings. - -### How to Backup/Restore Templates with UE-V - -Here are the key backup and restore components of UE-V: - -- Template profiles -- Settings packages location within the Settings Storage Location template -- Backup trigger -- How settings are restored - -**Template Profiles** - -A UE-V template profile is defined when the template is registered on the device or post registration through the PowerShell/WMI configuration utility. The profile types include: - -- Roaming (default) -- Backup -- BackupOnly - -All templates are included in the roaming profile when registered unless otherwise specified. These templates synchronize settings to all UE-V enabled devices with the corresponding template enabled. - -Templates can be added to the Backup Profile with PowerShell or WMI using the Set-UevTemplateProfile cmdlet. Templates in the Backup Profile back up these settings to the Settings Storage Location in a special Device name directory. Specified settings are backed up to this location. - -Templates designated BackupOnly include settings specific to that device that shouldn't be synchronized unless explicitly restored. These settings are stored in the same device-specific settings package location on the settings storage location as the Backedup Settings. These templates have a special identifier embedded in the template that specifies they should be part of this profile. - -**Settings packages location within the Settings Storage Location template** - -Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V doesn't clean up these directories. - -**Backup trigger** - -Backup is triggered by the same events that trigger a UE-V synchronization. - -**How settings are restored** - -Restoring a user's device restores the currently registered Template's settings from another device's backup folder and all synchronized settings to the current machine. Settings are restored in these two ways: - -- **Automatic restore** - - If the user's UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user signs in to a new device for the first time and these criteria are met, the settings data is applied to that device. - - > [!NOTE] - > Accessibility and Windows Desktop settings require the user to sign in again to Windows to be applied. - -- **Manual Restore** - - If you want to assist users by restoring a device during a refresh, you can choose to use the Restore-UevBackup cmdlet. This command ensures that the user's current settings become the current state on the Settings Storage Location. - -## Restore Application and Windows Settings to Original State - -WMI and Windows PowerShell commands let you restore application and Windows settings to the settings values that were on the computer the first time that the application started after the UE-V service was enabled. This restoring action is performed on a per-application or Windows settings basis. The settings are restored the next time that the application runs, or the settings are restored when the user signs in to the operating system. - -**To restore application settings and Windows settings with Windows PowerShell for UE-V** - -1. Open the Windows PowerShell window. -1. Enter the following Windows PowerShell cmdlet to restore the application settings and Windows settings. - - |**Windows PowerShell cmdlet**|**Description**| - |--- |--- | - |`Restore-UevUserSetting -` |Restores the user settings for an application or restores a group of Windows settings.| - -**To restore application settings and Windows settings with WMI** - -1. Open a Windows PowerShell window. -1. Enter the following WMI command to restore application settings and Windows settings. - - |**WMI command**|**Description**| - |--- |--- | - |`Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserSettings -Name RestoreByTemplateId -ArgumentList `|Restores the user settings for an application or restores a group of Windows settings.| - ->[!NOTE] ->UE-V doesn't provide a settings rollback for Windows apps. - -## Related topics - -[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md) -[Administering UE-V](uev-administering-uev.md) diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md deleted file mode 100644 index 8dbec4a9b6b..00000000000 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Manage Configurations for UE-V -description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. -ms.date: 1/25/2024 -ms.topic: article ---- - -# Manage Configurations for UE-V - -In the course of the User Experience Virtualization (UE-V) lifecycle, you have to manage the configuration of the UE-V service and also manage storage locations for resources such as settings package files. The following topics provide guidance for managing these UE-V resources. - -## Configuring UE-V by using Group Policy Objects - -You can use Group Policy Objects to modify the settings that define how UE-V synchronizes settings on computers. - -[Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md) - -## Configuring UE-V with Microsoft Configuration Manager - -You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack. - -[Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md) - -## Administering UE-V with PowerShell and WMI - -UE-V provides Windows PowerShell cmdlets, which can help administrators perform various UE-V tasks. - -[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md) - -## Examples of configuration settings for UE-V - -Here are some examples of UE-V configuration settings: - -- **Settings Storage Path:** Specifies the location of the file share that stores the UE-V settings. -- **Settings Template Catalog Path:** Specifies the Universal Naming Convention (UNC) path that defines the location that was checked for new settings location templates. -- **Register Microsoft Templates:** Specifies whether the default Microsoft templates should be registered during installation. -- **Synchronization Method:** Specifies whether UE-V uses the sync provider or "none". The "SyncProvider" supports computers that are disconnected from the network. "None" applies when the computer is always connected to the network. For more information about the Sync Method, see [Sync Methods for UE-V](uev-sync-methods.md). -- **Synchronization Timeout:** Specifies the number of milliseconds that the computer waits before time-out when it retrieves the user settings from the settings storage location. -- **Synchronization Enable:** Specifies whether the UE-V settings synchronization is enabled or disabled. -- **Maximum Package Size:** Specifies a settings package file threshold size in bytes at which the UE-V service reports a warning. -- **Don't Sync Windows App Settings:** Specifies that UE-V should not synchronize Windows apps. -- **Enable/Disable First Use Notification:** Specifies whether UE-V displays a dialog box the first time that the UE-V service runs on a user's computer. - -## Related topics - -[Administering UE-V](uev-administering-uev.md) -[Deploy Required UE-V Features](uev-deploy-required-features.md) -[Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md) diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md deleted file mode 100644 index a87fb622e47..00000000000 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI -description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI -ms.date: 1/25/2024 -ms.topic: article ---- - -# Managing UE-V Settings Location Templates Using Windows PowerShell and WMI - -User Experience Virtualization (UE-V) uses XML settings location templates to define the settings that User Experience Virtualization captures and applies. UE-V includes a set of standard settings location templates. It also includes the UE-V template generator tool that enables you to create custom settings location templates. After you create and deploy settings location templates, you can manage those templates by using Windows PowerShell and the Windows Management Instrumentation (WMI). - -> [!NOTE] -> For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/). - -## Manage UE-V settings location templates by using Windows PowerShell - -The WMI and Windows PowerShell features of UE-V include the ability to enable, disable, register, update, and unregister settings location templates. By using these features, you can automate the process of registering, updating, or unregistering templates with the UE-V service. You can also manually register templates by using WMI and Windows PowerShell commands. By using these features in conjunction with an electronic software distribution solution, Group Policy, or another automated deployment method such as a script, you can further automate that process. - -You must have administrator permissions to update, register, or unregister a settings location template. Administrator permissions are not required to enable, disable, or list templates. - -**To manage settings location templates by using Windows PowerShell** - -1. Use an account with administrator rights to open a Windows PowerShell command prompt. -1. Use the following Windows PowerShell cmdlets to register and manage the UE-V settings location templates. - - |Windows PowerShell command|Description| - |--- |--- | - |`Get-UevTemplate`|Lists all the settings location templates that are registered on the computer.| - |`Get-UevTemplate -Application `|Lists all the settings location templates that are registered on the computer where the application name or template name contains.| - |`Get-UevTemplate -TemplateID `|Lists all the settings location templates that are registered on the computer where the template ID contains.| - |`Get-UevTemplate [-ApplicationOrTemplateID] `|Lists all the settings location templates that are registered on the computer where the application or template name, or template ID contains.| - |`Get-UevTemplateProgram [-ID]