From 003956186e6a5a65d32f5f118385ff32943295e9 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 12 Feb 2024 16:10:48 +0100
Subject: [PATCH] updates
---
...ing.redirection.windows-configuration.json | 17 +++-
..._lock-down-windows-10-to-specific-apps.md} | 4 -
..._lock-down-windows-11-to-specific-apps.md} | 18 ----
.../kiosk/lock-down-windows-10-applocker.md | 85 -------------------
windows/configuration/kiosk/toc.yml | 6 --
5 files changed, 16 insertions(+), 114 deletions(-)
rename windows/configuration/kiosk/{lock-down-windows-10-to-specific-apps.md => _lock-down-windows-10-to-specific-apps.md} (99%)
rename windows/configuration/kiosk/{lock-down-windows-11-to-specific-apps.md => _lock-down-windows-11-to-specific-apps.md} (97%)
delete mode 100644 windows/configuration/kiosk/lock-down-windows-10-applocker.md
diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json
index 366f58f38d..3ef06c7d79 100644
--- a/.openpublishing.redirection.windows-configuration.json
+++ b/.openpublishing.redirection.windows-configuration.json
@@ -584,6 +584,21 @@
"source_path": "windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md",
"redirect_url": "/windows/configuration/kiosk/find-aumid",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/kiosk/lock-down-windows-10-applocker.md",
+ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md",
+ "redirect_url": "/windows/configuration/kiosk/create-xml",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md",
+ "redirect_url": "/windows/configuration/kiosk/create-xml",
+ "redirect_document_id": false
}
]
-}
+}
\ No newline at end of file
diff --git a/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md b/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
similarity index 99%
rename from windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md
rename to windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
index 43646ca390..7f28735fb6 100644
--- a/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
@@ -27,8 +27,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-
-
## Configure a kiosk in Microsoft Intune
To configure a kiosk in Microsoft Intune, see:
@@ -36,8 +34,6 @@ To configure a kiosk in Microsoft Intune, see:
- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings)
- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
-
-
## Configure a kiosk using a provisioning package
Process:
diff --git a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md b/windows/configuration/kiosk/_lock-down-windows-11-to-specific-apps.md
similarity index 97%
rename from windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
rename to windows/configuration/kiosk/_lock-down-windows-11-to-specific-apps.md
index d64d0fd5f4..3b9039bc3d 100644
--- a/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/kiosk/_lock-down-windows-11-to-specific-apps.md
@@ -20,24 +20,6 @@ An assigned access multi-app kiosk runs one or more apps from the desktop. Peopl
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-## Configure a Multi-App Kiosk
-
-See the table below for the different methods to configure a multi-app kiosk in Windows 11.
-
-|Configuration Method|Availability|
-|--------------------|------------|
-|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023|
-
-
-
-> [!NOTE]
-> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below.
-
## Create the XML file
Let's start by looking at the basic structure of the XML file.
diff --git a/windows/configuration/kiosk/lock-down-windows-10-applocker.md b/windows/configuration/kiosk/lock-down-windows-10-applocker.md
deleted file mode 100644
index 24561726a8..0000000000
--- a/windows/configuration/kiosk/lock-down-windows-10-applocker.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps
-description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
-appliesto:
-- ✅ Windows 10
-ms.date: 07/30/2018
-ms.topic: article
----
-
-# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
-
-Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
-
->[!NOTE]
->For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
-
-You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
-
-AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
-
-This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
-
-
-
-## Install apps
-
-First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
-
-## Use AppLocker to set rules for apps
-
-After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
-
-1. Run Local Security Policy (secpol.msc) as an administrator.
-1. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
-
- 
-
-1. Check **Configured** under **Executable rules**, and then click **OK**.
-1. Right-click **Executable Rules** and then click **Automatically generate rules**.
-
- 
-
-1. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
-1. Type a name to identify this set of rules, and then click **Next**.
-1. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
-1. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
-1. Read the message and click **Yes**.
-
- 
-
-1. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
-1. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
-1. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
-
- ``` syntax
- sc config appidsvc start=auto
- ```
-
-1. Restart the device.
-
-## Other settings to lock down
-
-In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
-
-- Remove **All apps**.
- Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
-- Hide **Ease of access** feature on the logon screen.
- Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
-- Disable the hardware power button.
- Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
-- Disable the camera.
- Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
-- Turn off app notifications on the lock screen.
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
-- Disable removable media.
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
-
- > [!NOTE]
- > To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
-
-To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal).
-
-## Customize Start screen layout for the device (recommended)
-
-Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](../start/windows-10-start-layout-options-and-policies.md).
diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml
index 4ab1246c04..78bff74437 100644
--- a/windows/configuration/kiosk/toc.yml
+++ b/windows/configuration/kiosk/toc.yml
@@ -15,10 +15,6 @@ items:
href: setup-digital-signage.md
- name: Configure a kiosk
href: kiosk-single-app.md
- - name: Configure a restricted user experience for Windows 10
- href: lock-down-windows-10-to-specific-apps.md
- - name: Configure a restricted user experience for Windows 11
- href: lock-down-windows-11-to-specific-apps.md
- name: How-to guides
items:
- name: Create an Assigned Access XML file
@@ -27,8 +23,6 @@ items:
href: find-aumid.md
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- - name: Use AppLocker to create a Windows 10 kiosk
- href: lock-down-windows-10-applocker.md
- name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- name: Troubleshoot