deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

complete through AppLocker topic

Browse Source
This commit is contained in:
jdeckerMS 2017-02-15 14:09:26 -08:00
parent c3b49ab8b2
commit 2560ef9558
4 changed files with 23 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/configure/guidelines-for-assigned-access-app.md
View File

@ -20,7 +20,7 @@ localizationpriority: high
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607. The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
## General guidelines ## General guidelines
@ -82,19 +82,7 @@ The above guidelines may help you select or develop an appropriate Windows app f
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 
   

5
windows/configure/lock-down-windows-10-to-specific-apps.md
View File

@ -112,14 +112,11 @@ In addition to specifying the apps that users can run, you should also restrict
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
## Customize Start screen layout for the device ## Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
## Related topics
- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
   

49
windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -19,10 +19,10 @@ localizationpriority: high
> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) > **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
**Note**   >[!NOTE]
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. >A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
   
@ -63,8 +63,8 @@ For a more secure kiosk experience, we recommend that you make the following con
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
   
<span id="assigned-access" />
## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps ## Assigned access method for Universal Windows apps
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
@ -73,7 +73,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
| --- | --- | --- | | --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | | [Create a provisioning package using Windows Configuration Designer (ICD)](#set-up-assigned-access-wcd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
@ -88,8 +88,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
**Note**   >[!NOTE]  
Assigned access does not work on a device that is connected to more than one monitor. >Assigned access does not work on a device that is connected to more than one monitor.
   
@ -115,16 +115,16 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you
[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD) <sp id="set-up-assigned-access-wcd" />
### Set up assigned access using Windows Configuration Designer
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) >[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**Create a provisioning package for a kiosk device** 1. [install Windows Configuration Designer](provisioning-install-icd.md)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 2. Open Windows Configuration Designer
2. Choose **Advanced provisioning**. 2. Choose **Advanced provisioning**.
@ -169,15 +169,8 @@ When you build a provisioning package, you may include sensitive information in
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
**Apply the provisioning package** [Learn how to apply a provisioning package.](provisioning-apply-package.md)
1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
2. Consent to allow the package to be installed.
After you allow the package to be installed, the settings will be applied to the device
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
### Set up assigned access using Windows PowerShell ### Set up assigned access using Windows PowerShell
@ -255,7 +248,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications <span id="shell-launcher" />
## Shell Launcher for Classic Windows applications
Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
@ -425,17 +419,8 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
``` ```
## Related topics
[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Manage and update Windows 10](index.md)
 
   

13
windows/configure/set-up-shared-or-guest-pc.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
- Windows 10 - Windows 10
Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
> [!NOTE] > [!NOTE]
> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
@ -69,16 +69,16 @@ You can configure Windows to be in shared PC mode in a couple different ways:
![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) ![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png)
- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**.
![Shared PC settings in ICD](images/icd-adv-shared-pc.png) ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
### Create a provisioning package for shared use ### Create a provisioning package for shared use
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1. [install Windows Configuration Designer](provisioning-install-icd.md)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 1. Open Windows Configuration Designer.
2. On the **Start page**, select **Advanced provisioning**. 2. On the **Start page**, select **Advanced provisioning**.
@ -287,15 +287,10 @@ Shared PC mode sets local group policies to configure the device. Some of these
## Related topics
[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)