From 0aa2f7c43100934409f846916af2e0b765eb3b30 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Sat, 3 Feb 2024 12:15:59 -0500
Subject: [PATCH] Add quickstart guides to kiosk configuration
---
.../configuration/kiosk/quickstart-kiosk.md | 159 ++++++++++++++++++
.../kiosk/quickstart-restricted-experience.md | 75 +++++++++
windows/configuration/kiosk/toc.yml | 6 +
3 files changed, 240 insertions(+)
create mode 100644 windows/configuration/kiosk/quickstart-kiosk.md
create mode 100644 windows/configuration/kiosk/quickstart-restricted-experience.md
diff --git a/windows/configuration/kiosk/quickstart-kiosk.md b/windows/configuration/kiosk/quickstart-kiosk.md
new file mode 100644
index 0000000000..2686019689
--- /dev/null
+++ b/windows/configuration/kiosk/quickstart-kiosk.md
@@ -0,0 +1,159 @@
+---
+title: "Quickstart: configure a single-app kiosk"
+description: Learn how to configure a single-app kiosk using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+ms.topic: quickstart
+ms.date: 01/29/2024
+---
+
+# Quickstart: configure a kiosk experience
+
+The configuration of a single-app kiosk can be done using:
+
+- Microsoft Intune/MDM
+- a provisioning package (PPKG)
+- PowerShell
+- the Settings app
+
+When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed.
+The other options allow you to configure a single app kiosk using a local account, or an account defined in the directory.
+
+Follow the instructions below to configure your devices, selecting the option that best suits your needs.
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-custom-settings-1](../../../includes/configure/intune-custom-settings-1.md)]
+
+| Setting |
+|--------|
+| OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** Data type: **Integer** Value: **1**|
+
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](../../../includes/configure/intune-custom-settings-info.md)]
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
+
+| Setting |
+|--------|
+| Path: **`SharedPC/AccountManagement/KioskModeAUMID`** Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**|
+| Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`** Value: **Take a Test** (or a string of your choice to display in the sing-in screen)|
+
+Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
+
+#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+
+> [!IMPORTANT]
+> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
+>
+> To test a PowerShell script, you can:
+>
+> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
+> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
+> 1. Run the script in the PowerShell session
+
+Edit the following sample PowerShell script to:
+
+- Customize the assessment URL with **$testURL**
+- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName**
+
+```powershell
+$testURL = "https://contoso.com/algebra-exam"
+$userTileName = "Take a Test"
+$namespaceName = "root\cimv2\mdm\dmmap"
+$ParentID="./Vendor/MSFT/Policy/Config"
+
+#Configure SharedPC
+$className = "MDM_SharedPC"
+$instance = "SharedPC"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+ $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.AccountModel = 1
+$cimObject.EnableAccountManager = $true
+$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App"
+$cimObject.KioskModeUserTileDisplayText = $userTileName
+Set-CimInstance -CimInstance $cimObject
+
+#Configure SecureAssessment
+$className = "MDM_SecureAssessment"
+$instance = "SecureAssessment"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+ $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.LaunchURI= $testURL
+Set-CimInstance -CimInstance $cimObject
+
+#Configure interactive logon
+$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02"
+$instance = "LocalPoliciesSecurityOptions"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+ $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1
+Set-CimInstance -CimInstance $cimObject
+
+#Configure Windows logon
+$className = "MDM_Policy_Config01_WindowsLogon02"
+$instance = "WindowsLogon"
+$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
+if (-not ($cimObject)) {
+ $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
+}
+$cimObject.HideFastUserSwitching = 1
+Set-CimInstance -CimInstance $cimObject
+```
+
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win)
+
+To create a local account, and configure Take a Test in kiosk mode using the Settings app:
+
+1. Sign into the Windows device with an administrator account
+1. Open the **Settings** app and select **Accounts** > **Other Users**
+1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account**
+1. Provide a user name and password for the account that will be used for testing
+ :::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true":::
+1. Select **Accounts > Access work or school**
+1. Select **Create a test-taking account**
+ :::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true":::
+1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4
+ :::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true":::
+1. Under **Enter the tests's web address**, enter the assessment URL
+1. Under **Test taking settings** select the options you want to enable during the test
+ - To enable printing, select **Require printing**
+
+ > [!NOTE]
+ > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option.
+
+ - To enable teachers to monitor screens, select **Allow screen monitoring**
+ - To allow text suggestions, select **Allow text suggestions**
+
+1. To take the test, a student must sign in using the test-taking account selected in step 4
+ :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true":::
+
+ > [!NOTE]
+ > To sign-in with a local account on a device that is joined to Microsoft Entra ID or Active Directory, you must prefix the username with either `\` or `.\`.
+
+---
+
+## How to use Take a Test in kiosk mode
+
+Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL.
+
+## How to exit Take a Test
+
+To exit the Take a Test app at any time, press Ctrl+Alt+Delete. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal.
+
+The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test:
+
+:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true":::
+
+
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
diff --git a/windows/configuration/kiosk/quickstart-restricted-experience.md b/windows/configuration/kiosk/quickstart-restricted-experience.md
new file mode 100644
index 0000000000..8efadba6cf
--- /dev/null
+++ b/windows/configuration/kiosk/quickstart-restricted-experience.md
@@ -0,0 +1,75 @@
+---
+title: "Quickstart: Configure a restricted user experience"
+description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+ms.topic: quickstart
+ms.date: 01/29/2024
+---
+
+# Quickstart: Configure a restricted user experience
+
+This quickstart provides practical examples of how to configure a restricted user experience on Windows.
+
+A restricted user experience allows you to control which applications are allowed to be executed in a locked down Windows desktop.
+
+The examples describe the steps using Windows Configuration Designer, Microsoft Intune, PowerShell, and group policy.
+
+## Prerequisites
+
+
+
+## Open [Cloud Shell, Azure CLI, or PowerShell]
+
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideTaskViewButton", "description": "Hide the task View Button", "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideTaskViewButton", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideSwitchAccount", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideSwitchAccount", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideSignOut", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideSignOut", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideShutDown", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideShutDown", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideRestart", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideRestart", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideRecommendedSection", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedSection", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "AllowPinnedFolderSettings", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "ConfigureSearchOnTaskbarMode", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Search/ConfigureSearchOnTaskbarMode", "secretReferenceValueId": null, "isEncrypted": false, "value": 0, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "StartLayout", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/StartLayout", "secretReferenceValueId": "0c90cfe3-8e60-4fd5-b0c6-d47addf7c65d_2c9b3961-f9df-43ac-8e14-c90a31a5067e_3aa60e8b-4dcb-4ce5-be8e-1bbd5211429b", "isEncrypted": true, "value": "****" }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "DisableSearch", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Search/DisableSearch", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "HideUserTile", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideUserTile", "secretReferenceValueId": null, "isEncrypted": false, "value": 1, "isReadOnly": false }, { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" }, { "@odata.type": "#microsoft.graph.omaSettingInteger", "displayName": "EnableTouchKeyboardAutoInvokeInDesktopMode", "description": null, "omaUri": "./Device/Vendor/MSFT/Policy/Config/TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode", "secretReferenceValueId": null, "isEncrypted": false, "value": 2, "isReadOnly": false } ], "assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations('2c9b3961-f9df-43ac-8e14-c90a31a5067e')/microsoft.graph.windows10CustomConfiguration/assignments" }
+```
+
+
+
+## [verb] * [noun]
+
+[Introduce a task and its role in completing the process.]
+
+
+
+1. Procedure step
+1. Procedure step
+1. Procedure step
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Next sequential article title](link.md)
diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml
index 3362daaabd..947226dafc 100644
--- a/windows/configuration/kiosk/toc.yml
+++ b/windows/configuration/kiosk/toc.yml
@@ -1,6 +1,12 @@
items:
- name: Overview
href: kiosk-methods.md
+- name: Quickstarts
+ items:
+ - name: Configure a kiosk experience
+ href: quickstart-kiosk.md
+ - name: Configure a restricted user experience
+ href: quickstart-restricted-experience.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- name: Set up digital signs