deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-mathavale-5324320-16-to-30

Browse Source
This commit is contained in:
Meghana Athavale 2021-09-24 10:19:55 +05:30
commit 2b5bca200c
32 changed files with 1129 additions and 475 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
windows/application-management/private-app-repository-mdm-company-portal-windows-11.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs
description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices.
ms.assetid:
manager: dougeby
ms.author: mandia
ms.reviewer: amanh
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.date: 09/15/2021
ms.localizationpriority: medium
---
# Private app repository in Windows 11
**Applies to**:
- Windows 11
Starting in Windows 11, administrators have new options to deploy apps to devices. The Microsoft Store will continue to allow users to install public and retail apps.
The Company Portal app is the private app repository for organizations and enterprises. It supports more app types and scenarios.
When the Company Portal app is installed, users open it, and see the apps your organization makes available. Users select an app, and install it.
This article discusses the Company Portal app installation options, adding organization apps, and more.
## Before you begin
The Company Portal app is included with Microsoft Endpoint Manager (MEM). Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Prerequisites
To use the Company Portal app:
- Users must have a work account that's already set up. For more information, see [Manage users and groups in Microsoft 365](/microsoft-365/admin/add-users).
- Your organization must have an Intune subscription. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses).
## Install the Company Portal app
To install the Company Portal app, you have some options:
- **Use Microsoft Endpoint Manager**: Endpoint Manager includes Microsoft Intune (cloud) and Configuration Manager (on-premises). With both services, you can add Microsoft Store apps, like the Company Portal app. Once added, you create an app policy that deploys and installs the Company Portal app to your devices.
- This option is preferred, and is the most scalable, especially if you have many devices. When you create the app policy, the policy can be deployed to many users and many devices simultaneously. Admins can also use reporting to make sure the app is installed on organization-managed devices.
- On co-managed devices, which are managed by Microsoft Intune + Configuration Manager together, the Company Portal app shows your Intune apps and your Configuration Manager apps. So, all apps are shown in one place.
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
For more information, see:
- [What is Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows)
- [What is co-management?](/mem/configmgr/comanage/overview)
- [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
- In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
For more information, see:
- [What is Windows Autopilot](/mem/autopilot/windows-autopilot)
- [Add and assign the Company Portal app for Autopilot provisioned devices](/mem/intune/apps/store-apps-company-portal-autopilot)
- **Use the Microsoft Store**: The Company Portal app is available in the Microsoft Store, and can be downloaded by your users. Users open the Microsoft Store app on their device, search for **Company Portal**, and install it. When it's installed, users might be prompted to sign in with their organization account (`user@contoso.com`). When the app opens, they see a list of approved organization apps that can be installed.
- This option requires users to install the Company Portal app themselves. If you have many users, the recommended approach is to deploy the Company Portal app using Endpoint Manager or using Windows Autopilot.
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store, go to the **Library**, and check for updates. Within the Company Portal app, they can use the update feature to get app fixes and feature updates on the organization apps you added.
## Customize the Company Portal app
Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app).
## Add your organization apps to the Company Portal app
When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal).
When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see:
- [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365)
- [Add web apps using Intune](/mem/intune/apps/web-app)
- [Add LOB apps using Intune](/mem/intune/apps/lob-apps-windows)
- [Win32 app management in Intune](/mem/intune/apps/apps-win32-app-management)
- [Create and deploy an application with Configuration Manager](/mem/configmgr/apps/get-started/create-and-deploy-an-application)
If you use a third party or partner MDM provider, be sure to configure the settings that list your apps in the Company Portal app.
## Windows Package Manager
If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Endpoint Manager and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423).

4
windows/application-management/toc.yml
View File

@ -15,6 +15,8 @@ items:
href: add-apps-and-features.md
- name: Sideload apps
href: sideload-apps-in-windows-10.md
- name: Private app repo on Windows 11
href: private-app-repository-mdm-company-portal-windows-11.md
- name: Remove background task resource restrictions
href: enterprise-background-activity-controls.md
- name: Enable or block Windows Mixed Reality apps in the enterprise
@ -199,7 +201,7 @@ items:
items:
- name: Using the App-V client management console
href: app-v/appv-using-the-client-management-console.md
- name: Automatically clean-up unpublished packages on the App-V client
- name: Automatically clean up unpublished packages on the App-V client
href: app-v/appv-auto-clean-unpublished-packages.md
- name: Migrating
items:

20
windows/configuration/TOC.yml
View File

@ -4,10 +4,18 @@
items:
- name: Windows 11
items:
- name: Start menu layout
- name: Start menu
items:
- name: Customize Start menu layout
href: customize-start-menu-layout-windows-11.md
- name: Supported Start menu CSPs
href: supported-csp-start-menu-layout-windows.md
- name: Taskbar
items:
- name: Customize Taskbar
href: customize-taskbar-windows-11.md
- name: Supported Taskbar CSPs
href: supported-csp-taskbar-windows.md
- name: Windows 10 Start and taskbar
items:
- name: Start layout and taskbar
@ -54,16 +62,14 @@
href: kiosk-methods.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- name: Set up digital signs on Windows 10
- name: Set up digital signs
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk
href: lock-down-windows-10-to-specific-apps.md
- name: Set up a shared or guest PC with Windows 10
- name: Set up a shared or guest PC
href: set-up-shared-or-guest-pc.md
- name: Set up a kiosk on Windows 10 Mobile
href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
- name: Kiosk reference information
items:
- name: More kiosk methods and reference information
@ -80,9 +86,9 @@
href: kiosk-xml.md
- name: Use AppLocker to create a Windows 10 kiosk
href: lock-down-windows-10-applocker.md
- name: Use Shell Launcher to create a Windows 10 kiosk
- name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- name: Use MDM Bridge WMI Provider to create a Windows 10 kiosk
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot kiosk mode issues
href: kiosk-troubleshoot.md

246
windows/configuration/customize-taskbar-windows-11.md Normal file
View File

@ -0,0 +1,246 @@
---
title: Configure and customize Windows 11 taskbar | Microsoft Docs
description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded.
ms.assetid:
manager: dougeby
ms.author: mandia
ms.reviewer: chataylo
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.localizationpriority: medium
---
# Customize the Taskbar on Windows 11
**Applies to**:
- Windows 11
> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps.
For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar.
To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
## Before you begin
- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app).
- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar.
- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Create the XML file
1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins two apps to the taskbar - File Explorer and the Command Prompt:
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.Windows.Explorer"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\Command Prompt.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
2. In the `<taskbar:TaskbarPinList>` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
- `<taskbar:UWA>`: Select this option for UWP apps. Add the [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) of the UWP app.
- `<taskbar:DesktopApp>`: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app.
You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar.
For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
3. In the `<CustomTaskbarLayoutCollection>` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
- `<CustomTaskbarLayoutCollection>`: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
- `<CustomTaskbarLayoutCollection PinListPlacement="Replace">`: Unpins the default apps. Only the apps you add are pinned.
If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to `<taskbar:TaskbarPinList>`, include the default apps you still want pinned.
4. In the `<defaultlayout:TaskbarLayout>` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
In the following XML example, two regions are added: `US|UK` and `DE|FR`:
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout region="US|UK">
<taskbar:TaskbarPinList >
<taskbar:UWA AppUserModelID="MSEdge"/>
<taskbar:UWA AppUserModelID="Microsoft.Windows.Explorer"/>
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\Command Prompt.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout region="DE|FR">
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.Windows.Explorer"/>
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\Command Prompt.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.Windows.Explorer"/>
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\Command Prompt.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
The taskbar applies when:
- If the `<TaskbarPinList>` node has a country or region, then the apps are pinned on devices configured for that country or region.
- If the `<TaskbarPinList>` node doesn't have a region tag for the current region, then the first `<TaskbarPinList>` node with no region is applied.
5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
## Use Group Policy or MDM to create and deploy a taskbar policy
Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Endpoint Manager.
This section shows you how to deploy the XML both ways.
### Use Group Policy to deploy your XML file
Use the following steps to add your XML file to a group policy, and apply the policy:
1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies.
2. Go to one of the following policies:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
Your policy looks like the following policy:
:::image type="content" source="./images/customize-taskbar-windows-11/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices.":::
The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices.
4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/).
### Create a Microsoft Endpoint Manager policy to deploy your XML file
MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
Use the following steps to create an Endpoint Manager policy that deploys your taskbar XML file:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
- **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
4. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**.
- **Description**: Enter a description for the profile. This setting is optional, and recommended.
5. Select **Next**.
6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
For more information and guidance on assigning policies using Microsoft Endpoint Manager, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
> [!NOTE]
> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
## Get the AUMID and Desktop app link path
In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet:
1. On an existing Windows 11 device, pin the app to the Start menu.
2. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
3. Open the Windows PowerShell app, and run the following cmdlet:
```powershell
Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml"
```
4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
## Pin order for all apps
On a taskbar, the following apps are typically pinned:
- Apps pinned by the user
- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store.
- Apps pinned by your organization, such as in an unattended Windows setup.
In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
Apps are pinned in the following order:
1. Windows default apps are pinned first.
2. User-pinned apps are pinned after the Windows default apps.
3. XML-pinned apps are pinned after the user-pinned apps.
If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
## OS install and upgrade
- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar:
- Apps you specifically add
- Any default apps you don't remove
After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps.
- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior:
- If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps.
- If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned.
- If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps.
- New apps in updated layout file are pinned after the user's pinned apps.
After the layout is applied, users can pin more apps, change the order, and unpin apps.

2
windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -1,6 +1,6 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: greg-lindsay

14
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -1,5 +1,5 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
title: Guidelines for choosing an app for assigned access (Windows 10/11)
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
@ -9,8 +9,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 10/02/2018
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
---
@ -20,6 +19,7 @@ manager: dansimp
**Applies to**
- Windows 10
- Windows 11
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
@ -45,9 +45,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
@ -55,7 +55,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
>Kiosk Browser cannot access intranet websites.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
@ -162,7 +162,7 @@ Check the guidelines published by your selected app and set up accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).

BIN
windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/configuration/images/kiosk-account.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 KiB

BIN
windows/configuration/images/kiosk-common.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.8 KiB

BIN
windows/configuration/images/seven.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 325 B

BIN
windows/configuration/images/six.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 549 B

12
windows/configuration/includes/multi-app-kiosk-support-windows11.md Normal file
View File

@ -0,0 +1,12 @@
---
author: MandiOhlinger
ms.author: mandia
ms.date: 09/21/2021
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: w10
ms.topic: include
---
Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11.

14
windows/configuration/kiosk-additional-reference.md
View File

@ -1,8 +1,8 @@
---
title: More kiosk methods and reference information (Windows 10)
title: More kiosk methods and reference information (Windows 10/11)
description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -20,6 +20,7 @@ ms.topic: reference
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
## In this section
@ -31,11 +32,8 @@ Topic | Description
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps.
[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.

8
windows/configuration/kiosk-mdm-bridge.md
View File

@ -1,8 +1,8 @@
---
title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10)
title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11)
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -11,16 +11,16 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 11/07/2018
ms.topic: article
---
# Use MDM Bridge WMI Provider to create a Windows 10 kiosk
# Use MDM Bridge WMI Provider to create a Windows client kiosk
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).

57
windows/configuration/kiosk-methods.md
View File

@ -1,9 +1,9 @@
---
title: Configure kiosks and digital signs on Windows desktop editions (Windows 10)
ms.reviewer:
title: Configure kiosks and digital signs on Windows 10/11 desktop editions
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions.
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -18,21 +18,29 @@ ms.topic: article
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
**Applies to**
- **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
- Windows 10
- Windows 11
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.
Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png)
- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
- **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen.
![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png)
- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
> [!NOTE]
> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device.
![Illustration of a kiosk Start screen.](images/kiosk-desktop.png)
![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png)
Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
@ -40,19 +48,19 @@ There are several kiosk configuration methods that you can choose from, dependin
![icon that represents apps.](images/office-logo.png)
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
- **Which type of kiosk do you need?**
![icon that represents a kiosk.](images/kiosk.png)
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
- **Which edition of Windows 10 will the kiosk run?**
- **Which edition of Windows client will the kiosk run?**
![icon that represents Windows.](images/windows.png)
All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home.
- **Which type of user account will be the kiosk account?**
@ -62,9 +70,7 @@ There are several kiosk configuration methods that you can choose from, dependin
>[!IMPORTANT]
>Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
<span id="uwp" />
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Methods for a single-app kiosk running a UWP app
@ -100,15 +106,14 @@ You can use this method | For this edition | For this kiosk account type
Method | App type | Account type | Single-app kiosk | Multi-app kiosk
--- | --- | --- | :---: | :---:
[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X |
[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X |
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X
[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️ |
[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | ✔️
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | ✔️
>[!NOTE]
>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.
>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.

6
windows/configuration/kiosk-policies.md
View File

@ -1,8 +1,8 @@
---
title: Policies enforced on kiosk devices (Windows 10)
title: Policies enforced on kiosk devices (Windows 10/11)
description: Learn about the policies enforced on a device when you configure it as a kiosk.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -11,7 +11,6 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 07/30/2018
ms.author: greglin
ms.topic: article
---
@ -22,6 +21,7 @@ ms.topic: article
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11

405
windows/configuration/kiosk-prepare.md
View File

@ -1,8 +1,8 @@
---
title: Prepare a device for kiosk configuration (Windows 10)
title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs
description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -20,48 +20,205 @@ ms.topic: article
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
> [!WARNING]
> For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
>
> Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that might allow an attacker subverting the assigned access application to gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
> [!IMPORTANT]
> [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
>
> Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Before you begin
- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk.
- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
- MDM providers, such as [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Configuration recommendations
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
Recommendation | How to
--- | ---
Hide update notifications<br>(New in Windows 10, version 1809) | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:<br>**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
Enable and schedule automatic updates | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`<br>-or-<br>Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`<br><br>**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.<br><br>To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
Enable automatic restart at the scheduled time | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
Disable the hardware power button. | Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
Remove the power button from the sign-in screen. | Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
Disable the camera. | Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
Turn off app notifications on the lock screen. | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
Disable removable media. | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
- **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use the registry**:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
- `1`: Hides all notifications except restart warnings.
- `2`: Hides all notifications, including restart warnings.
- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
Your options:
- Use the **Settings** app:
1. Open the **Settings** app.
2. Go to **System** > **Tablet mode**.
3. Configure the settings you want.
- Use the **Action Center**:
1. On your device, swipe in from the left.
2. Select **Tablet mode**.
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
- **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
- **Disable the hardware power button**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
3. Select **Do nothing**.
4. **Save changes**.
- **Use Group Policy**: Your options:
- `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
- `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
- **Use an MDM provider**: In Endpoint Manager, you have some options:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `Power\Select Power Button Action on Battery`: Set to **Take no action**.
- `Power\Select Power Button Action on Plugged In`: Set to **Take no action**.
- `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
- `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
- **Use MDM**: In Endpoint Manager, you have the following option:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
- **Disable the camera**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **Privacy** > **Camera**.
3. Select **Allow apps use my camera** > **Off**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Camera\Allow camera`: Set to **Not allowed**.
- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Notifications & actions**.
3. In **Show notifications on the lock screen**, select **Off**.
- **Use Group policy**:
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options:
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- **Disable removable media**: To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
- **Use an MDM provider**: In Endpoint Manager, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
## Enable logging
Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
## Automatic logon
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
@ -88,7 +245,7 @@ In addition to the settings in the table, you may want to set up **automatic log
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
@ -104,150 +261,56 @@ In addition to the settings in the table, you may want to set up **automatic log
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
> [!Note]
> Where applicable, the table notes which features are optional that you can configure for assigned access.
- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Feature</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Accessibility</p></td>
<td><p>Assigned access does not change Ease of Access settings.</p>
<p>We recommend that you use <a href="/windows-hardware/customize/enterprise/keyboardfilter" data-raw-source="[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)">Keyboard Filter</a> to block the following key combinations that bring up accessibility features:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Key combination</th>
<th>Blocked behavior</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Left Alt+Left Shift+Print Screen</p></td>
<td><p>Open High Contrast dialog box.</p></td>
</tr>
<tr class="even">
<td><p>Left Alt+Left Shift+Num Lock</p></td>
<td><p>Open Mouse Keys dialog box.</p></td>
</tr>
<tr class="odd">
<td><p>Windows logo key+U</p></td>
<td><p>Open Ease of Access Center.</p></td>
</tr>
</tbody>
</table>
<p> </p></td>
</tr>
<tr class="even">
<td><p>Assigned access Windows PowerShell cmdlets</p></td>
<td><p>In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see <a href="/powershell/module/assignedaccess/?view=win10-ps" data-raw-source="[Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/?view=win10-ps)">Assigned access Windows PowerShell reference</a>.</p></td>
</tr>
<tr class="odd">
<td><p>Key sequences blocked by assigned access</p></td>
<td><p>When in assigned access, some key combinations are blocked for assigned access users.</p>
<p>Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use <a href="/windows-hardware/customize/enterprise/keyboardfilter" data-raw-source="[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)">Keyboard Filter</a> to block these key combinations.</p>
<p>Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in <a href="/windows-hardware/customize/enterprise/wekf-settings" data-raw-source="[WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings)">WEKF_Settings</a>.</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Key combination</th>
<th>Blocked behavior for assigned access users</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Alt+Esc</p></td>
<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+Alt+Esc</p></td>
<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
</tr>
<tr class="odd">
<td><p>Ctrl+Esc</p></td>
<td><p>Open the Start screen.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+F4</p></td>
<td><p>Close the window.</p></td>
</tr>
<tr class="odd">
<td><p>Ctrl+Shift+Esc</p></td>
<td><p>Open Task Manager.</p></td>
</tr>
<tr class="even">
<td><p>Ctrl+Tab</p></td>
<td><p>Switch windows within the application currently open.</p></td>
</tr>
<tr class="odd">
<td><p>LaunchApp1</p></td>
<td><p>Open the app that is assigned to this key.</p></td>
</tr>
<tr class="even">
<td><p>LaunchApp2</p></td>
<td><p>Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.</p></td>
</tr>
<tr class="odd">
<td><p>LaunchMail</p></td>
<td><p>Open the default mail client.</p></td>
</tr>
<tr class="even">
<td><p>Windows logo key</p></td>
<td><p>Open the Start screen.</p></td>
</tr>
</tbody>
</table>
<p> </p>
<p>Keyboard Filter settings apply to other standard accounts.</p></td>
</tr>
<tr class="even">
<td><p>Key sequences blocked by <a href="/windows-hardware/customize/enterprise/keyboardfilter" data-raw-source="[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)">Keyboard Filter</a></p></td>
<td><p>If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the <a href="/windows-hardware/customize/enterprise/keyboardfilter" data-raw-source="[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)">Keyboard Filter</a> reference topic.</p>
<p><a href="/windows-hardware/customize/enterprise/keyboardfilter" data-raw-source="[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)">Keyboard Filter</a> is only available on Windows 10 Enterprise or Windows 10 Education.</p>
</td>
</tr>
<tr class="odd">
<td><p>Power button</p></td>
<td><p>Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.</p>
<p>For more information on removing the power button or disabling the physical power button, see <a href="/windows-hardware/customize/enterprise/custom-logon" data-raw-source="[Custom Logon](/windows-hardware/customize/enterprise/custom-logon)">Custom Logon</a>.</p></td>
</tr>
<tr class="even">
<td><p>Unified Write Filter (UWF)</p></td>
<td><p>UWFsettings apply to all users, including those with assigned access.</p>
<p>For more information, see <a href="/windows-hardware/customize/enterprise/unified-write-filter" data-raw-source="[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)">Unified Write Filter</a>.</p></td>
</tr>
<tr class="odd">
<td><p>WEDL_AssignedAccess class</p></td>
<td><p>Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.</p>
<p>If you need to use assigned access API, see <a href="/windows-hardware/customize/enterprise/wedl-assignedaccess" data-raw-source="[WEDL_AssignedAccess](./w/windows-hardware/customize/enterprise/wedl-assignedaccess)">WEDL_AssignedAccess</a>.</p></td>
</tr>
<tr class="even">
<td><p>Welcome Screen</p></td>
<td><p>Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.</p>
<p>For more information, see <a href="/windows-hardware/customize/enterprise/custom-logon" data-raw-source="[Custom Logon](/windows-hardware/customize/enterprise/custom-logon)">Custom Logon</a>.</p></td>
</tr>
</tbody>
</table>
| Key combination | Blocked behavior |
| --- | --- |
| Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
| Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
| Windows logo key + U | Open Ease of Access Center. |
- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
<span id="test-vm"/>
- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
Alt + F4, Alt + Shift + Tab, Alt + Tab are not blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
| Key combination | Blocked behavior for assigned access users |
| --- | --- |
| Alt + Esc | Cycle through items in the reverse order from which they were opened. |
| Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. |
| Ctrl + Esc | Open the Start screen. |
| Ctrl + F4 | Close the window. |
| Ctrl + Shift + Esc | Open Task Manager. |
| Ctrl + Tab | Switch windows within the application currently open. |
| LaunchApp1 | Open the app that is assigned to this key. |
| LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. |
| LaunchMail | Open the default mail client. |
| Windows logo key | Open the Start screen. |
Keyboard Filter settings apply to other standard accounts.
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it's in assigned access.
For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
## Testing your kiosk in a virtual machine (VM)
@ -257,8 +320,8 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png)
:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
![Do not select the connect button, use "close X" in the top corner](images/vm-kiosk-connect.png)
:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::

13
windows/configuration/kiosk-shelllauncher.md
View File

@ -1,8 +1,8 @@
---
title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -14,13 +14,14 @@ ms.localizationpriority: medium
ms.topic: article
---
# Use Shell Launcher to create a Windows 10 kiosk
# Use Shell Launcher to create a Windows client kiosk
**Applies to**
- Windows 10 Ent, Edu
- Windows 11
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
@ -30,7 +31,7 @@ Using Shell Launcher, you can configure a device that runs an application as the
>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
@ -292,7 +293,7 @@ Value|Description
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>

286
windows/configuration/kiosk-single-app.md
View File

@ -1,8 +1,8 @@
---
title: Set up a single-app kiosk (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
title: Set up a single-app kiosk on Windows 10/11
description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -11,18 +11,18 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 01/09/2019
ms.topic: article
---
# Set up a single-app kiosk
# Set up a single-app kiosk on Windows 10/11
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png)
@ -33,48 +33,69 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th
You have several options for configuring your single-app kiosk.
Method | Description
--- | ---
[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. <br><br>This method is supported on Windows 10 Pro, Enterprise, and Education.
[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.<br><br>This method is supported on Windows 10 Pro, Enterprise, and Education.
[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.<br><br>This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.<br><br>This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
This option supports:
>[!TIP]
>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
- Windows 10 Pro, Enterprise, and Education
- Windows 11
- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This option supports:
- Windows 10 Pro, Enterprise, and Education
- Windows 11
- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings.
This option supports:
- Windows 10 Pro version 1709+, Enterprise, and Education
- Windows 11
- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration.
This option supports:
- Windows 10 Pro version 1709+, Enterprise, and Education
- Windows 11
> [!TIP]
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
>
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="local"/>
## Set up a kiosk in local Settings
>App type: UWP
>App type:
> - UWP
>
>OS edition: Windows 10 Pro, Ent, Edu
>OS:
> - Windows 10 Pro, Ent, Edu
> - Windows 11
>
>Account type: Local standard user
>Account type:
> - Local standard user
You can use **Settings** to quickly configure one or a few devices as a kiosk.
When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
![Screenshot of automatic sign-in setting.](images/auto-signin.png)
![Screenshot of automatic sign-in setting.](images/auto-signin.png)
### Instructions for Windows 10, version 1809
### Windows 10 version 1809+ / Windows 11
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time.
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
**To set up assigned access in PC settings**
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
@ -94,15 +115,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
### Instructions for Windows 10, version 1803 and earlier
### Windows 10 version 1803 and earlier
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
![The Set up assigned access page in Settings.](images/kiosk-settings.png)
**To set up assigned access in PC settings**
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
2. Select **Set up assigned access**.
@ -110,26 +131,24 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
<span id="powershell"/>
## Set up a kiosk using Windows PowerShell
>App type: UWP
>App type:
> - UWP
>
>OS edition: Windows 10 Pro, Ent, Edu
>OS:
> - Windows 10 Pro, Ent, Edu
> - Windows 11
>
>Account type: Local standard user
>Account type:
> - Local standard user
![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png)
@ -137,59 +156,49 @@ You can use any of the following PowerShell cmdlets to set up assigned access on
Before you run the cmdlet:
1. Log in as administrator.
1. Sign in as administrator.
2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
3. Log in as the Assigned Access user account.
3. Sign in as the Assigned Access user account.
4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
5. Log out as the Assigned Access user account.
6. Log in as administrator.
5. Sign out as the Assigned Access user account.
6. Sign in as administrator.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
**Configure assigned access by AppUserModelID and user name**
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
```
**Configure assigned access by AppUserModelID and user SID**
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
```
**Configure assigned access by app name and user name**
```
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
```
**Configure assigned access by app name and user SID**
```
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
```
- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>`
- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>`
- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName <CustomApp> -UserName <username>`
- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>`
> [!NOTE]
> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once.
[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md).
[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**).
To remove assigned access, using PowerShell, run the following cmdlet.
To remove assigned access, using PowerShell, run the following cmdlet:
```
```powershell
Clear-AssignedAccess
```
<span id="wizard" />
## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
>App type: UWP or Windows desktop application
>App type:
> - UWP
> - Windows desktop application
>
>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types
>OS:
> - Windows 10 Pro version 1709+ for UWP only
> - Windows 10 Ent, Edu for UWP and Windows desktop applications
> - Windows 11
>
>Account type: Local standard user, Active Directory
>Account type:
> - Local standard user
> - Active Directory
![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
@ -199,69 +208,136 @@ Clear-AssignedAccess
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings:
[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
1. Enable device setup:
:::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
If you want to enable device setup, select **Set up device**, and configure the following settings:
<table>
<tr><td valign="top"><img src="images/one.png" alt="step one"/><img src="images/set-up-device.png" alt="set up device"/></br></br>Enable device setup if you want to configure settings on this page.</br></br><strong>If enabled:</strong></br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. <a href="/windows/deployment/upgrade/windows-10-edition-upgrades" data-raw-source="[See the permitted upgrades.](/windows/deployment/upgrade/windows-10-edition-upgrades)">See the permitted upgrades.</a></br></br>Toggle <strong>Configure devices for shared use</strong> off. This setting optimizes Windows 10 for shared use scenarios and isn&#39;t necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td><img src="images/set-up-device-details.png" alt="device name, upgrade to enterprise, shared use, remove pre-installed software"/></td></tr>
<tr><td valign="top"><img src="images/two.png" alt="step two"/> <img src="images/set-up-network.png" alt="set up network"/></br></br>Enable network setup if you want to configure settings on this page.</br></br><strong>If enabled:</strong></br></br>Toggle <strong>On</strong> or <strong>Off</strong> for wireless network connectivity. If you select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details.png" alt="Enter network SSID and type"/></td></tr>
<tr><td valign="top"><img src="images/three.png" alt="step three"/> <img src="images/account-management.png" alt="account management"/></br></br>Enable account management if you want to configure settings on this page. </br></br><strong>If enabled:</strong></br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Click <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions.</br></br><strong>Warning:</strong> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br><strong>Important:</strong> If you create a local account in the provisioning package, you must change the password using the <strong>Settings</strong> app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td><img src="images/account-management-details.png" alt="join Active Directory, Azure AD, or create a local admin account"/></td></tr>
<tr><td valign="top"><img src="images/four.png" alt="step four"/> <img src="images/add-applications.png" alt="add applications"/></br></br>You can provision the kiosk app in the <strong>Add applications</strong> step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see <a href="provisioning-packages/provision-pcs-with-apps.md" data-raw-source="[Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)">Provision PCs with apps</a></br></br><strong>Warning:</strong> If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in <strong>Installer Path</strong>, and then a <strong>Cancel</strong> button becomes available, allowing you to complete the provisioning package without an application. </td><td><img src="images/add-applications-details.png" alt="add an application"/></td></tr>
<tr><td valign="top"><img src="images/five.png" alt="step five"/> <img src="images/add-certificates.png" alt="add certificates"/></br></br>To provision the device with a certificate for the kiosk app, click <strong>Add a certificate</strong>. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td><img src="images/add-certificates-details.png" alt="add a certificate"/></td></tr>
<tr><td valign="top"><img src="images/six.png" alt="step six"/> <img src="images/kiosk-account.png" alt="Configure kiosk account and app"/></br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle <strong>No</strong>, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle <strong>Yes</strong> or <strong>No</strong> to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under <strong>Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational</strong>.)</br></br>In <strong>Configure the kiosk mode app</strong>, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td><img src="images/kiosk-account-details.png" alt="The 'Configure kiosk common settings' button as displayed while provisioning a kiosk device in Windows Configuration Designer."/></td></tr>
<tr><td valign="top"><img src="images/seven.png" alt="step seven"/> <img src="images/kiosk-common.png" alt="configure kiosk common settings"/></br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td><img src="images/kiosk-common-details.png" alt="set tablet mode and configure welcome and shutdown and turn off timeout settings"/></td></tr>
<tr><td valign="top"> <img src="images/finish.png" alt="The 'finish' button as displayed while provisioning a kiosk device in Windows Configuration Designer."/></br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td><img src="images/finish-details.png" alt="Protect your package"/></td></tr>
</table>
- **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
- **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
- **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default.
- **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
2. Set up the network:
:::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
If you want to enable network setup, select **Set up network**, and configure the following settings:
- **Set up network**: To enable wireless connectivity, select **On**.
- **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
- **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
3. Enable account management:
:::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
If you want to enable account management, select **Account Management**, and configure the following settings:
- **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
- **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
- **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
4. Add applications:
:::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md).
> [!WARNING]
> If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then:
>
> 1. In **Installer Path**, select any executable file.
> 2. When the **Cancel** button shows, select it.
>
> These steps let you complete the provisioning package without adding an application.
5. Add certificates:
:::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
To add a certificate to the devices, select **Add certificates**, and configure the following settings:
- **Certificate name**: Enter a name for the certificate.
- **Certificate path**: Browse and select the certificate you want to add.
6. Configure the kiosk account, and the kiosk mode app:
:::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings:
- **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app.
- **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`).
- **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options:
- **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required.
- **Universal Windows app**: Enter the AUMID.
7. Configure kiosk common settings:
:::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings:
- **Set tablet mode**
- **Customize user experience**
- **Configure power settings**
8. Finish:
:::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
To complete the wizard, select **Finish**, and configure the following setting:
- **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
>[!NOTE]
>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
<span id="mdm" />
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
>App type: UWP
>App type:
> - UWP
>
>OS edition: Windows 10 Pro (version 1709), Ent, Edu
>OS:
> - Windows 10 Pro version 1709+, Ent, Edu
> - Windows 11
>
>Account type: Local standard user, Azure AD
>Account type:
> - Local standard user
> - Azure AD
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
## Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.

10
windows/configuration/kiosk-troubleshoot.md
View File

@ -1,8 +1,8 @@
---
title: Troubleshoot kiosk mode issues (Windows 10)
title: Troubleshoot kiosk mode issues (Windows 10/11)
description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions"]
ms.prod: w10
@ -21,11 +21,12 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
## Single-app kiosk issues
>[!TIP]
>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
### Sign-in issues
@ -38,6 +39,9 @@ Check the Event Viewer logs for auto logon issues under **Applications and Servi
## Multi-app kiosk issues
> [!NOTE]
> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
### Unexpected results
For example:

8
windows/configuration/kiosk-validate.md
View File

@ -1,8 +1,8 @@
---
title: Validate kiosk configuration (Windows 10)
description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
title: Validate kiosk configuration (Windows 10/11)
description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@ -11,7 +11,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 07/30/2018
ms.topic: article
---
@ -21,6 +20,7 @@ ms.topic: article
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.

37
windows/configuration/kiosk-xml.md
View File

@ -1,8 +1,8 @@
---
title: Assigned Access configuration kiosk XML reference (Windows 10)
description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10.
title: Assigned Access configuration kiosk XML reference (Windows 10/11)
description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -11,7 +11,6 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.author: greglin
ms.topic: article
---
@ -22,6 +21,7 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
## Full XML sample
@ -255,9 +255,16 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Global Profile Sample XML
Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
Global Profile is supported on:
- Windows 10 version 2004+
- Windows 11
Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
@ -394,7 +401,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
```
## Folder Access sample xml
In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009 and later.
Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -636,8 +643,9 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
>[!NOTE]
>Updated for Windows 10, version 1903 and later.
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
>Updated for Windows 10, version 1903+.
The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -814,7 +822,8 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
</xs:schema>
```
Here is the schema for new features introduced in Windows 10 1809 release
The following XML is the schema for new features introduced in Windows 10 1809 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -859,7 +868,8 @@ Here is the schema for new features introduced in Windows 10 1809 release
</xs:schema>
```
Schema for Windows 10, version 1909 and later
The following XML is the schema for Windows 10 version 1909+:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -889,7 +899,10 @@ Schema for Windows 10, version 1909 and later
</xs:schema>
```
To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias.
For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"

2
windows/configuration/lock-down-windows-10-applocker.md
View File

@ -2,7 +2,7 @@
title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10

36
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -1,8 +1,8 @@
---
title: Set up a multi-app kiosk (Windows 10)
title: Set up a multi-app kiosk on Windows 10 | Microsoft Docs
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -11,23 +11,25 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 01/09/2019
ms.author: greglin
ms.topic: article
---
# Set up a multi-app kiosk
# Set up a multi-app kiosk on Windows 10 devices
**Applies to**
- Windows 10 Pro, Enterprise, and Education
> [!NOTE]
> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
The following table lists changes to multi-app kiosk in recent updates.
| New features and improvements | In update |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| --- | ---|
| - Configure [a single-app kiosk profile](#profile) in your XML file<br><br>- Assign [group accounts to a config profile](#config-for-group-accounts)<br><br>- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)<br><br>- [Automatically launch an app](#allowedapps) when the user signs in<br><br>- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
@ -43,7 +45,10 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows).
To configure a kiosk in Microsoft Intune, see:
- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings)
- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
<span id="provision" />
@ -59,7 +64,7 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
### Prerequisites
@ -114,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
@ -146,7 +151,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
@ -189,7 +194,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
##### FileExplorerNamespaceRestrictions
Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
@ -231,7 +236,7 @@ FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerele
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
@ -269,7 +274,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
```
>[!NOTE]
>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
@ -333,7 +338,7 @@ The following example shows how to specify an account to sign in automatically.
</Configs>
```
In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
<Configs>
@ -411,7 +416,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups are not supporte
<span id="add-xml" />
#### [Preview] Global Profile
Global profile is added in current Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
Global profile is added in Windows 10. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user.
@ -538,7 +543,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
>[!TIP]
>In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage?view=win10-ps) with `-LogsDirectoryPath` to get logs for the operation.
>In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
#### During initial setup, from a USB drive
@ -572,7 +577,6 @@ Provisioning packages can be applied to a device during the first-run experience
![add a package option.](images/package.png)
<span id="alternate-methods" />
### Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.

25
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -1,6 +1,6 @@
---
title: Set up a shared or guest PC with Windows 10 (Windows 10)
description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
title: Set up a shared or guest PC with Windows 10/11
description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios.
keywords: ["shared pc mode"]
ms.prod: w10
ms.mktglfcycl: manage
@ -9,30 +9,31 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
---
# Set up a shared or guest PC with Windows 10
# Set up a shared or guest PC with Windows 10/11
**Applies to**
- Windows 10
- Windows 11
Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
## Shared PC mode concepts
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
### Account models
It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
### Account management
When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
### Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
@ -73,7 +74,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@ -112,7 +113,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
11. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
![Shared PC settings in ICD.](images/icd-adv-shared-pc.png)

40
windows/configuration/setup-digital-signage.md
View File

@ -1,8 +1,8 @@
---
title: Set up digital signs on Windows 10 (Windows 10)
description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education).
title: Set up digital signs on Windows 10/11
description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
@ -11,31 +11,30 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.date: 09/20/2021
ms.topic: article
---
# Set up digital signs on Windows 10
# Set up digital signs on Windows 10/11
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+.
>[!NOTE]
>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience).
This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
5. On **Set up device**, select **Disabled**, and select **Next**.
6. On **Set up network**, enable network setup.
6. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
- Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
7. On **Account management**, select **Disabled**, and select **Next**.
8. On **Add applications**, select **Add an application**.
8. On **Add applications**, select **Add an application**:
- For **Application name**, enter `Kiosk Browser`.
- For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
- For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
- The **Package family name** is populated automatically.
- Select **Next**.
9. On **Add certificates**, select **Next**.
10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage.
10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
- In **BlockedUrl**, enter `*`.
- In **DefaultUrl**, enter `https://www.contoso.com/menu`.
@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on
20. Copy the .ppkg file to a USB drive.
21. Attach the USB drive to the device that you want to use for your digital sign.
22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.

12
windows/configuration/supported-csp-start-menu-layout-windows.md
View File

@ -10,7 +10,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.date: 09/13/2021
ms.localizationpriority: medium
---
@ -57,6 +56,17 @@ For information on customizing the Start menu layout using policy, see [Customiz
## Existing CSP policies that Windows 11 doesn't support
- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
- Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- Group policy:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
- Group policy:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`

67
windows/configuration/supported-csp-taskbar-windows.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs
description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
ms.assetid:
manager: dougeby
ms.author: mandia
ms.reviewer: chataylo
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.localizationpriority: medium
---
# Supported configuration service provider (CSP) policies for Windows 11 taskbar
**Applies to**:
- Windows 11
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
## Existing CSP policies that Windows 11 taskbar supports
- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
- Local setting: None
## Existing CSP policies that Windows 11 doesn't support
The following list includes some of the CSP policies that aren't supported on Windows 11:
- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
- Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`

2
windows/deployment/TOC.yml
View File

@ -52,6 +52,8 @@
items:
- name: Using a proxy with Delivery Optimization
href: update/delivery-optimization-proxy.md
- name: Delivery Optimization client-service communication
href: update/delivery-optimization-workflow.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations

44
windows/deployment/update/delivery-optimization-workflow.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Delivery Optimization client-service communication explained
manager: dougeby
description: Details of how Delivery Optimization communicates with the server when content is requested to download.
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.collection: M365-modern-desktop
ms.topic: article
---
# Delivery Optimization client-service communication explained
**Applies to**
- Windows 10
- Windows 11
## Download request workflow
This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification.
1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB).
2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer.
3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file.
4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download.
5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to “simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed.
6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it.
## Delivery Optimization service endpoint and data information
|Endpoint hostname|Port|Name|Description|Data sent from the computer to the endpoint
|--------------------------------------------|--------|---------------|-----------------------|------------------------|
| geover-prod.do.dsp.mp.microsoft.com <br> geo-prod.do.dsp.mp.microsoft.com <br> geo.prod.do.dsp.mp.microsoft.com <br> geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) <br> **doClientVersion**: The version of the DoSvc client <br> **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionId**: Client partitioning hint <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id |
| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **PeerId**: Identified of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eId**: Client grouping Id |
| dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |

72
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -23,21 +23,22 @@ ms.technology: mde
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows Server 2016 and later
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
>[!IMPORTANT]
>Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
> [!IMPORTANT]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
### COM object configurability in WDAC policy
Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
> [!NOTE]
> To add this functionality to other versions of Windows 10, you can install the following or later updates.
- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288)
@ -48,19 +49,24 @@ Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC)
### Get COM object GUID
Get GUID of application to allow in one of the following ways:
- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
- Creating audit policy (using New-CIPolicy Audit), potentially with specific provider, and use info from block events to get GUID
- Finding a block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script), and extracting GUID
- Creating an audit policy (using New-CIPolicy Audit), potentially with a specific provider, and use the info from the block events to get the GUID
### Author policy setting to allow or deny COM object GUID
Three elements:
- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
- Key: GUID for the program you with to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- ValueName: needs to be set to "EnterpriseDefinedClsId"
One attribute:
- Value: needs to be “true” for allow and “false” for deny
- Note that deny only works in base policies, not supplemental
> [!NOTE]
> Deny only works in base policies, not supplemental policies
- The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName)
### Examples
@ -96,19 +102,18 @@ Example 3: Allows a specific COM object to register in PowerShell
```
### How to configure settings for the CLSIDs
Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
Date: 11/11/2020 1:18:11 PM
Event ID: 8036
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-3340858017-3068726007-3466559902-3647
Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Log Name: Microsoft-Windows-AppLocker/MSI and Script<br/>
Source: Microsoft-Windows-AppLocker<br/>
Date: 11/11/2020 1:18:11 PM<br/>
Event ID: 8036<br/>
Task Category: None<br/>
Level: Error<br/>
Keywords:<br/>
User: S-1-5-21-3340858017-3068726007-3466559902-3647<br/>
Computer: contoso.com<br/>
Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.<br/>
Event XML:
@ -122,7 +127,7 @@ Event XML:
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-11T19:18:11.4029179Z" />
<TimeCreated SystemTime="2020-11-11T13:18:11.4029179Z" />
<EventRecordID>819347</EventRecordID>
<Correlation ActivityID="{61e3e871-adb0-0047-c9cc-e761b0add601}" />
<Execution ProcessID="21060" ThreadID="23324" />
@ -137,22 +142,23 @@ Event XML:
</Event>
```
To add this CLSID to the existing policy, use the following steps:
To add this CLSID to the existing policy, follow these steps:
1. Open PowerShell ISE with Administrative privileges.
2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
```PowerShell
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
```PowerShell
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
Once the command has been run, you will find that the following section is added to the policy XML.
Once the command has been run, you will find that the following section is added to the policy XML.
```XML
```XML
<Settings>
<Setting Provider="WSH" Key="8856f961-340a-11d0-a96b-00c04fd705a2" ValueName="EnterpriseDefinedClsId">
<Setting Provider="WSH" Key="{f8d253d9-89a4-4daa-87b6-1168369f0b21}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
```
```