Update kiosk configuration and documentation

2025-05-12 13:27:23 +00:00 · 2024-02-01 15:08:27 -05:00 · 2024-02-01 15:08:27 -05:00 · 0169e5f83c
commit 0169e5f83c
parent 17658aa2c4
5 changed files with 116 additions and 28 deletions
--- a/windows/configuration/kiosk/kiosk-policies.md
+++ b/windows/configuration/kiosk/kiosk-policies.md
@ -3,7 +3,7 @@ title: Policies enforced on kiosk devices (Windows 10/11)
 description: Learn about the policies enforced on a device when you configure it as a kiosk.
 ms.topic: article
 ms.date: 12/31/2017
--- 
+---

 # Policies enforced on kiosk devices

@ -59,3 +59,40 @@ Some of the MDM policies based on the [Policy configuration service provider (CS
 | [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
 | [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
 | [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes |
+
+
+<!--
+## Start Menu
+
+Remove access to the context menus for the task bar
+Clear history of recently opened documents on exit
+Prevent users from customizing their Start Screen
+Prevent users from uninstalling applications from Start
+Remove All Programs list from the Start menu
+Remove Run menu from Start Menu
+
+## Desktop
+
+Hide and disable all items on the desktop
+
+## Task bar
+
+Disable showing balloon notificationss as toast
+Do not allow pinning items in Jump Lists
+Do not allow pinning programs to the Taskbar
+Do not display or track items in Jump Lists from remote locations
+Remove Notification Center
+Remove Control Center
+Lock all taskbar settings
+Lock the Taskbar
+Prevent users from adding or removing toolbars
+Prevent users from moving taskbar to another screen dock location
+Prevent users from rearranging toolbars
+Prevent users from resizing the taskbar
+Remove frequent programs list from the Start Menu
+Remove the Security and Maintenance icon
+Turn off all balloon notifications
+Turn off feature advertisement balloon notifications
+Hide the Task View button
+
+-->
--- a/windows/configuration/kiosk/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk/kiosk-shelllauncher.md
@ -1,13 +1,13 @@
 ---
-title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
-description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
-ms.topic: article
+title: Use Shell Launcher to create a kiosk experience
+description: Learn how to configure Shell Launcher to change the default Windows shell when a user signs in to a device.
+ms.topic: how-to
 ms.date: 12/31/2017
 ---

 # Use Shell Launcher to create a Windows client kiosk

-Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
+Shell Launcher is a Windows feature that can enable a device to execute an application as the user interface, replacing the default shell (`explorer.exe`).

 >[!NOTE]
 >Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
--- a/windows/configuration/kiosk/toc.yml
+++ b/windows/configuration/kiosk/toc.yml
@ -1,11 +1,11 @@
 items:
- name: Configure kiosks and digital signs on Windows desktop editions
+- name: Configure kiosks and restricted user experience
  href: kiosk-methods.md
 - name: Quickstarts
  items:
-    - name: Configure a single-app kiosk
+    - name: Configure a kiosk experience
      href: quickstart-single-app.md
-    - name: Configure a multi-app kiosk
+    - name: Configure a restricted user experience
      href: quickstart-multi-app.md
 - name: Prepare a device for kiosk configuration
  href: kiosk-prepare.md
--- a/windows/configuration/start/configure.md
+++ b/windows/configuration/start/configure.md
@ -0,0 +1,60 @@
+---
+title: Configure Start menu
+description: Learn about the available options to configure the Windows Start menu and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
+ms.topic: how-to
+ms.date: 01/30/2024
+---
+
+# Configure Start menu
+
+To configure the Windows Start menu in your organization, you can use one of the following options:
+
+- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [Policy CSP][WIN-1] is used to configure Start, and to report the status of its configuration to the MDM solution
+- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
+
+## Start policy settings
+
+This section describes the policy settings to configure Start via configuration service provider (CSP) and group policy (GPO).
+
+### Policy settings list
+
+The list of settings is sorted alphabetically and organized in two categories:
+
+- **Common settings**:
+- **Other**:
+
+Select one of the tabs to see the list of available settings:
+
+#### [:::image type="icon" source=""::: **Common settings**](#tab/common)
+
+The following table lists the Start policy settings, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the setting name for more details.
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
+|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
+|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
+|[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
+|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
+|[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
+|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
+|[Require device encryption](#require-device-encryption)|✅|❌|
+|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
+
+[!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
+[!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
+[!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
+[!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
+[!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
+[!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
+[!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
+[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
+[!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
+
+#### [:::image type="icon" source="images/os-drive.svg"::: **Other**](#tab/os)
+
+---
+
+<!--links-->
+
+[WIN-1]: /windows/client-management/mdm/policy-csp
--- a/windows/configuration/start/start-layout-xml-desktop.md
+++ b/windows/configuration/start/start-layout-xml-desktop.md
@ -14,20 +14,14 @@ appliesto:
 On Windows 10 for desktop editions, the customized Start works by:

 - Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
-
 - Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
-    - Two groups that are six columns wide, or equivalent to the width of three medium tiles.
-    - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
-
-    - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows).
-
-
+  - Two groups that are six columns wide, or equivalent to the width of three medium tiles.
+  - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
+  - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows).

 >[!NOTE]
 >To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).

-
-
 ## LayoutModification XML

 IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
@ -39,7 +33,7 @@ The XML schema for `LayoutModification.xml` requires the following order for tag
 1. LayoutOptions
 1. DefaultLayoutOverride
 1. RequiredStartGroupsCollection
-1. AppendDownloadOfficeTile –OR– AppendOfficeSuite (only one Office option can be used at a time)
+1. AppendDownloadOfficeTile - OR - AppendOfficeSuite (only one Office option can be used at a time)
 1. AppendOfficeSuiteChoice
 1. TopMFUApps
 1. CustomTaskbarLayoutCollection
@ -52,11 +46,13 @@ Comments are not supported in the `LayoutModification.xml` file.

 >[!NOTE]
 >To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
+>
 >- Do not leave spaces or white lines in between each element.
 >- Do not add comments inside the StartLayout node or any of its children elements.
 >- Do not add multiple rows of comments.

 The following table lists the supported elements and attributes for the LayoutModification.xml file.
+
 > [!NOTE]
 > RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images.

@ -81,15 +77,11 @@ The following table lists the supported elements and attributes for the LayoutMo

 New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:

- Boot to tablet mode can be set on or off.
-
- Set full screen Start on desktop to on or off.
-
-    To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
-
- Specify the number of columns in the Start menu to 1 or 2.
-
-    To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
+- Boot to tablet mode can be set on or off
+- Set full screen Start on desktop to on or off
+  To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false
+- Specify the number of columns in the Start menu to 1 or 2
+  To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2

 The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu:

@ -221,7 +213,6 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
          Column="2"/>
  ```

-
 You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.

 To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.