diff --git a/windows/configuration/assigned-access/configure.md b/windows/configuration/assigned-access/configure.md index 4da839aea9..f51ba4c7ef 100644 --- a/windows/configuration/assigned-access/configure.md +++ b/windows/configuration/assigned-access/configure.md @@ -46,8 +46,6 @@ Here are the steps to configure a kiosk using the Settings app: - Which URL should be open when the kiosk accounts signs in - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) - :::image type="content" source="images/settings-choose-app.png" alt-text="Screenshot of the dialog box asking to select an app." border="false"::: - 1. Select **Close** - UWP diff --git a/windows/configuration/assigned-access/images/settings-choose-app.png b/windows/configuration/assigned-access/images/settings-choose-app.png deleted file mode 100644 index 60bae4e5f0..0000000000 Binary files a/windows/configuration/assigned-access/images/settings-choose-app.png and /dev/null differ diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md index 41ec638681..1a47625b6a 100644 --- a/windows/configuration/assigned-access/index.md +++ b/windows/configuration/assigned-access/index.md @@ -75,40 +75,3 @@ There are several kiosk configuration methods that you can choose from, dependin >[!NOTE] >For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. - - - \ No newline at end of file diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md index 0aa8a12cb4..a27cdd000b 100644 --- a/windows/configuration/assigned-access/overview.md +++ b/windows/configuration/assigned-access/overview.md @@ -87,3 +87,33 @@ Assigned Access uses the *Lock framework*. When an Assigned Access user signs in ## Test your Assigned Access experience It's recommended to thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience. + +> [!NOTE] +> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. + +The Assigned Access feature is intended for dedicated devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the Assigned Access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows. + +## Troubleshooting + +Event Viewer +Run "eventvwr.msc" +Navigate to "Applications and Services Logs" +There are 2 areas of your interests: +"Microsoft-Windows-AssignedAccess" +"Microsoft-Windows-AssignedAccessBroker" +Before any repro, it's recommended to enable "Operational" channel to get the most of logs. +TraceLogging + +Registry Key +These locations contain the latest Assigned Access Configuration: + +HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration +HKLM\SOFTWARE\Microsoft\Windows\AssignedAccessCsp +These locations contain the latest "evaluated" configuration for each sign-in user: + +"HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration" (If it doesn't exist, it means no Assigned Access to be enforced for this user.) + +> [!NOTE] +> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. + +--> diff --git a/windows/configuration/assigned-access/quickstart-kiosk.md b/windows/configuration/assigned-access/quickstart-kiosk.md index eca6f0da57..b9b2ff0ad2 100644 --- a/windows/configuration/assigned-access/quickstart-kiosk.md +++ b/windows/configuration/assigned-access/quickstart-kiosk.md @@ -46,8 +46,6 @@ Here are the steps to configure a kiosk using the Settings app: - Which URL should be open when the kiosk accounts signs in - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) - :::image type="content" source="images/settings-choose-app.png" alt-text="Screenshot of the dialog box asking to select an app." border="false"::: - 1. Select **Close** #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) diff --git a/windows/configuration/assigned-access/recommendations.md b/windows/configuration/assigned-access/recommendations.md index 31368ac32f..46bcbf4ad5 100644 --- a/windows/configuration/assigned-access/recommendations.md +++ b/windows/configuration/assigned-access/recommendations.md @@ -218,7 +218,6 @@ How to edit the registry to have an account sign in automatically: > [!WARNING] > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the Assigned Access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - ## Interactions and interoperability The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. diff --git a/windows/configuration/assigned-access/toc.yml b/windows/configuration/assigned-access/toc.yml index 06ba88b414..de5da4e25c 100644 --- a/windows/configuration/assigned-access/toc.yml +++ b/windows/configuration/assigned-access/toc.yml @@ -17,7 +17,7 @@ items: href: configure.md - name: Create an Assigned Access configuration file href: configuration-file.md - - name: Prepare a device for kiosk configuration + - name: Recommendations href: recommendations.md - name: Reference items: