Enable or block Windows Mixed Reality apps in the enterprise

Applies to

  • Windows 10

Windows Mixed Reality was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a Windows 10 Feature on Demand (FOD). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.

Organizations that use Windows Server Update Services (WSUS) must take action to enable Windows Mixed Reality. Any organization that wants to prohibit use of Windows Mixed Reality can block the installation of the Mixed Reality Portal.

Enable Windows Mixed Reality in WSUS

  1. Check your version of Windows 10.

    Note

    You must be on at least Windows 10, version 1709, to run Windows Mixed Reality.

  2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.

    a. Download the FOD .cab file for Windows 10, version 1803 or the FOD .cab file for Windows 10, version 1709.

    Note

    You must download the FOD .cab file that matches your operating system version.

    b. Use Add-Package to add Windows Mixed Reality FOD to the image.

    Add-Package
    Dism /Online /add-package /packagepath:(path)
    

    c. In Settings > Update & Security > Windows Update, select Check for updates.

IT admins can also create Side by side feature store (shared folder) to allow access to the Windows Mixed Reality FOD.

Block the Mixed Reality Portal

You can use the AppLocker configuration service provider (CSP) to block the Mixed Reality software.

In the following example, the Id can be any generated GUID and the Name can be any name you choose. Note that BinaryName="*" allows you to block any app executable in the Mixed Reality Portal package. Binary/VersionRange, as shown in the example, will block all versions of the Mixed Reality Portal app.

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Add>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                    <Type xmlns="syncml:metinf">text/plain</Type>
                </Meta>
                <Data>  
                  &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
                   &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
                    &lt;Conditions&gt;
                      &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
                        &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
                      &lt;/FilePublisherCondition&gt;
                    &lt;/Conditions&gt;
                  &lt;/FilePublisherRule&gt;
                  &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
                   &lt;Conditions&gt;
                     &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
                      &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
                      &lt;/FilePublisherCondition&gt;
                    &lt;/Conditions&gt;
                  &lt;/FilePublisherRule&gt;
                 &lt;/RuleCollection&gt;&gt;
                </Data>
            </Item>
        </Add>
        <Final/>
    </SyncBody>
</SyncML>