deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update date in configuration files

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-03-04 14:46:43 -05:00
parent ce47bdbe46
commit 3420b0408e
7 changed files with 46 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/configuration/assigned-access/configuration-file.md
View File

@ -3,6 +3,7 @@ title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
ms.date: 03/04/2024
appliesto:
---

68
windows/configuration/assigned-access/configure.md
View File

@ -1,7 +1,7 @@
---
title: Configure Assigned Access
description: Learn how to configure devices with Assigned Access.
ms.date: 05/12/2023
ms.date: 03/04/2024
ms.topic: how-to
---
@ -256,70 +256,40 @@ An Assigned Access multi-app kiosk runs one or more apps from the desktop. Peopl
### Provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](xsd.md).
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md).
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
1. Choose **Advanced provisioning**.
1. Name your project, and select **Next**.
1. Choose **All Windows desktop editions** and select **Next**.
1. On **New project**, select **Finish**. The workspace for your package opens.
1. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
1. In the center pane, select **Browse**. Locate and select the Assigned Access configuration XML file that you created.
1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
1. Open Windows Configuration Designer
1. Choose **Advanced provisioning**
1. Name your project, and select **Next**
1. Choose **All Windows desktop editions** and select **Next**
1. On **New project**, select **Finish**. The workspace for your package opens
1. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**
1. In the center pane, select **Browse**. Locate and select the Assigned Access configuration XML file that you created
1. *Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step.* Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
1. *Optional: If you already have a non-admin account on the kiosk device, skip this step.* Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**
1. On the **File** menu, select **Save.**
1. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can select **Browse** to change the default output location.
1. Select **Next**.
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location
Optionally, you can select **Browse** to change the default output location
1. Select **Next**
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build.
- If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
1. Copy the provisioning package to the root directory of a USB drive.
<span id="apply-ppkg" />
### Apply provisioning package to device
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](../provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If your provisioning package doesn't include the Assigned Access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
---
@ -359,3 +329,7 @@ To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWO
> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).
## Remove Assigned Access
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).

2
windows/configuration/assigned-access/index.md
View File

@ -2,7 +2,7 @@
title: Configure kiosks and restricted user experiences
description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
ms.topic: overview
ms.date: 02/26/2024
ms.date: 03/04/2024
---
# Configure kiosks and restricted user experiences

170
windows/configuration/assigned-access/overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Assigned Access?
description: Learn how to configure devices with Assigned Access.
ms.date: 05/12/2023
ms.date: 03/04/2024
ms.topic: how-to
---
@ -9,7 +9,6 @@ ms.topic: how-to
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or restricted user experience.
Multi-app kiosk mode allows an IT admin to pre-select the apps and functionality available to a user to create a tailored and immersive device experience. Ideal for shared devices, multi-app kiosk mode can create different configurations for different users, ensuring they have access to only what is needed to use the device as intended. The locked down configurations present users with the Windows desktop with which they are already familiar, while limiting their access to reduce distractions and potential for inadvertent uses.
:::row:::
@ -50,170 +49,41 @@ When applying an Assigned Access configuration to a device, different policy set
[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
<!-->
When the multi-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules
For UWP apps,
1. Default rule is to allow all users to launch the signed package apps.
1. Default rule is to allow all users to launch the signed package apps
1. The package app deny list is generated at runtime when the Assigned Access user signs in. Based on the installed/provisioned package apps available for the user account, Assigned Access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises
1. defined in the Assigned Access configuration. If there are multiple apps within the same package, all these apps are excluded. This deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list.
2. The package app deny list is generated at runtime when the Assigned Access user signs in. Based on the installed/provisioned package apps available for the user account, Assigned Access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the Assigned Access configuration. If there are multiple apps within the same package, all these apps are excluded. This deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list.
Note:
Assigned access multi-app mode doesn't block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current Assigned Access user session, this app won't be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the Assigned Access configuration to include it in the allowed app list.
> [!NOTE]
> Assigned access multi-app mode doesn't block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current Assigned Access user session, this app won't be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the Assigned Access configuration to include it in the allowed app list.
For desktop apps,
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. 2. There's a predefined inbox desktop app deny list for the Assigned Access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
-->
## Guidelines for choosing an app for a kiosk experience
<!--
To create a kiosk experience, you can choose UWP apps or Microsoft Edge. However, some applications might not provide a good user experience when used as a kiosk.
# Guidelines for choosing an app for Assigned Access (kiosk experience)
The following guidelines help you choose an appropriate Windows app for a kiosk experience:
Use Assigned Access to restrict users to use only one application, so that the device acts like a kiosk. Administrators can use Assigned Access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your Assigned Access experience.
## General guidelines
- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the Assigned Access settings to launch the updated app, because Assigned Access uses the AUMID to determine which app to launch.
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
## Guidelines for Windows apps that launch other apps
Some apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
>
>Kiosk Browser can't access intranet websites.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
### Kiosk Browser settings
| Kiosk Browser settings | Use this setting to |
|--|--|
| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. |
| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. |
| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer
1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18)
1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com)
1. Save the XML file
1. Open the project again in Windows Configuration Designer
1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed
> [!TIP]
>
> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
>
> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
> - Data type: Integer
> - Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
More guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only
- You can't use user:pass fields
- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence
- The policy searches wildcards (*) last
- The optional query is a set of key-value and key-only tokens delimited by '&'
- Key-value tokens are separated by '='
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
| Blocked URL rule | Block URL exception rule | Result |
|--|--|--|
| `*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. |
| `contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. |
| `youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). |
The following table gives examples for blocked URLs.
| Entry | Result |
|--|--|
| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
| `https://*` | Blocks all HTTPS requests to any domain. |
| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
| `*:8080` | Blocks all requests to port 8080. |
| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
| `192.168.1.2` | Blocks requests to 192.168.1.1. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
### Other browsers
You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
## Secure your information
Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## App configuration
Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and set up accordingly.
- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps)
- Updating a UWP app can sometimes change the Application User Model ID (AUMID) of the app. In such scenario, you must update the Assigned Access settings to execute the updated app, because Assigned Access uses the AUMID to determine the app to launch
- The app must be able to run above the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app
- Some apps can launch other apps. Assigned Access in kiosk mode prevents Windows apps from launching other apps. Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality
- Microsoft Edge includes support for kiosk mode. To learn more, see [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
- Avoid selecting Windows apps that might expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access
- Some apps might require more configurations before they can be used appropriately in Assigned Access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote opens
- The kiosk profile is designed for public-facing kiosk devices. Use a local, non-administrator account. If the device is connected to your organization network, using a domain or Microsoft Entra account could compromise confidential information
## Develop your kiosk app
Assigned access in Windows client uses the new lock framework. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
Assigned Access uses the *Lock framework*. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an *above lock* screen app. To learn more, see [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
## Test your Assigned Access experience
The above guidelines may help you select or develop an appropriate Windows app for your Assigned Access experience. Once you've selected your app, we recommend that you thoroughly test the Assigned Access experience to ensure that your device provides a good customer experience.
> [!NOTE]
> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
> [!IMPORTANT]
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
It's recommended to thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience.

2
windows/configuration/assigned-access/policy-settings.md
View File

@ -2,7 +2,7 @@
title: Assigned Access policy settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
ms.date: 02/25/2024
ms.date: 03/04/2024
---
# Assigned Access policy settings

2
windows/configuration/assigned-access/quickstart-kiosk.md
View File

@ -2,7 +2,7 @@
title: "Quickstart: Configure a kiosk experience with Assigned Access"
description: Learn how to configure a kiosk experience with Assigned Access, using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
ms.topic: quickstart
ms.date: 02/05/2024
ms.date: 03/04/2024
---
# Quickstart: Configure a kiosk with Assigned Access

2
windows/configuration/assigned-access/quickstart-restricted-user-experience.md
View File

@ -2,7 +2,7 @@
title: "Quickstart: Configure a restricted user experience with Assigned Access"
description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
ms.topic: quickstart
ms.date: 02/05/2024
ms.date: 03/04/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---