diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json index 60a9cc42b7..fce7d09f7f 100644 --- a/.openpublishing.redirection.windows-configuration.json +++ b/.openpublishing.redirection.windows-configuration.json @@ -805,6 +805,16 @@ "redirect_url": "/windows/configuration/assigned-access/overview", "redirect_document_id": false }, + { + "source_path": "windows/configuration/kiosk/kiosk-prepare.md", + "redirect_url": "/windows/configuration/assigned-access/recommendations", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/kiosk/kiosk-prepare.md", + "redirect_url": "/windows/configuration/assigned-access/recommendations", + "redirect_document_id": false + }, { "source_path": "windows/configuration/kiosk/kiosk-prepare.md", "redirect_url": "/windows/configuration/assigned-access/recommendations", diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index e0b811613a..03ab4317a9 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -278,7 +278,7 @@ Example with some apps pinned: ::: zone pivot="windows-11" -To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/customize-start-menu-layout-windows-11.md). +To learn how to customize and export a Start menu configuration, see [Customize the Start menu](../start/customize-and-export-start-layout.md). With the exported Start menu configuration, use the `v5:StartPins` element and add the content of the exported JSON file. For example: @@ -336,7 +336,7 @@ The following example hides the taskbar: ::: zone pivot="windows-11" -You can customize the Taskbar by creating a custom layout and adding it to your XML file. To learn how to customize and export the Taskbar configuration, see [Customize the Taskbar](../taskbar/customize-taskbar-windows-11.md). +You can customize the Taskbar by creating a custom layout and adding it to your XML file. To learn how to customize and export the Taskbar configuration, see [Customize the Taskbar](../taskbar/configure.md). > [!NOTE] > In Windows 11, the `ShowTaskbar` attribute is no-op. Configure it with a value of `true`. diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md index 1a47625b6a..1a1169d5c6 100644 --- a/windows/configuration/assigned-access/index.md +++ b/windows/configuration/assigned-access/index.md @@ -50,9 +50,9 @@ Kiosk configurations are based on **Assigned Access**, a feature in Windows clie There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. - **Which type of app will your kiosk run?** - Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-app.md) + Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application - **Which type of kiosk do you need?** - If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk + If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a Universal Windows Platform (UWP) app or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk - **Which edition of Windows client will the kiosk run?** All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home - **Which type of user account will be the kiosk account?** @@ -65,13 +65,11 @@ There are several kiosk configuration methods that you can choose from, dependin | Method | App type | Account type | Single-app kiosk | Multi-app kiosk | |--|--|--|:-:|:-:| -| [Assigned access in Settings](kiosk-single-app.md) | UWP | Local account | ✅ | -| [Assigned access cmdlets](kiosk-single-app.md) | UWP | Local account | ✅ | -| [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | -| [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅ | -| Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅ | -| [Shell Launcher](kiosk-shelllauncher.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | -| [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅ | +| Assigned access in Settings | UWP | Local account | ✅ | +| Assigned access cmdlets | UWP | Local account | ✅ | +| The kiosk wizard in Windows Configuration Designer | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | +| XML in a provisioning package | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅ | +| Microsoft Intune or other MDM | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅ | +| Shell Launcher| UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | +| MDM Bridge WMI Provider | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅ | ->[!NOTE] ->For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md index a27cdd000b..f50d0d1059 100644 --- a/windows/configuration/assigned-access/overview.md +++ b/windows/configuration/assigned-access/overview.md @@ -9,7 +9,7 @@ ms.topic: how-to Assigned Access is a Windows feature that you can use to configure a device as a kiosk or restricted user experience. -Multi-app kiosk mode allows an IT admin to pre-select the apps and functionality available to a user to create a tailored and immersive device experience. Ideal for shared devices, multi-app kiosk mode can create different configurations for different users, ensuring they have access to only what is needed to use the device as intended. The locked down configurations present users with the Windows desktop with which they are already familiar, while limiting their access to reduce distractions and potential for inadvertent uses. +Multi-app kiosk mode allows an IT admin to pre-select the apps and functionality available to a user to create a tailored and immersive device experience. Ideal for shared devices, multi-app kiosk mode can create different configurations for different users, ensuring they have access to only what is needed to use the device as intended. The locked down configurations present users with the Windows desktop with which they're already familiar, while limiting their access to reduce distractions and potential for inadvertent uses. :::row::: :::column span="1"::: @@ -20,7 +20,7 @@ Multi-app kiosk mode allows an IT admin to pre-select the apps and functionality :::column-end::: :::row-end::: -A single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it will utomatically restart. Practical examples include: +A single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it will automatically restart. Practical examples include: - Public browsing - Interactive digital signage @@ -49,13 +49,13 @@ When applying an Assigned Access configuration to a device, different policy set [!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)] -When the multi-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules +When the multi-app kiosk configuration is applied to a device, AppLocker rules are generated to allow the apps that are listed in the configuration. Here are the predefined Assigned Access AppLocker rules. For UWP apps, 1. Default rule is to allow all users to launch the signed package apps -1. The package app deny list is generated at runtime when the Assigned Access user signs in. Based on the installed/provisioned package apps available for the user account, Assigned Access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises -1. defined in the Assigned Access configuration. If there are multiple apps within the same package, all these apps are excluded. This deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list. +1. The package app deny list is generated at runtime when the Assigned Access user signs in. Based on the installed/provisioned package apps available for the user account, Assigned Access generates the deny list. This list excludes the default allowed inbox package apps, which are critical for the system to function, and then exclude the allowed packages that enterprises +1. defined in the Assigned Access configuration. If there are multiple apps within the same package, all these apps are excluded. This deny list is used to prevent the user from accessing the apps, which are currently available for the user but not in the allowed list > [!NOTE] > Assigned access multi-app mode doesn't block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current Assigned Access user session, this app won't be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the Assigned Access configuration to include it in the allowed app list. @@ -86,12 +86,12 @@ Assigned Access uses the *Lock framework*. When an Assigned Access user signs in ## Test your Assigned Access experience -It's recommended to thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience. +Thoroughly test the Assigned Access kiosk configuration, ensuring that your devices provide a good user experience. > [!NOTE] > The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. -The Assigned Access feature is intended for dedicated devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the Assigned Access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows. +The Assigned Access feature is intended for dedicated devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policies](policies-settings.md) are enforced system-wide, impacting other users on the device. Deleting the kiosk configuration removes the Assigned Access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, the Start layout). To clear all the policy settings enforced by Assigned Access, you must reset Windows. ## Troubleshooting diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index cf169d04cb..6b08533a33 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -22,9 +22,9 @@ landingContent: - linkListType: how-to-guide links: - text: Customize the Windows Start menu layout - url: start/customize-start-menu-layout-windows-11.md + url: start/customize-and-export-start-layout.md - text: Customize the Windows taskbar - url: taskbar/customize-taskbar-windows-11.md + url: taskbar/configure.md - text: Configure Windows Spotlight on the lock screen url: lock-screen/windows-spotlight.md - text: Accessibility information for IT pros @@ -34,14 +34,14 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Configure kiosks and digital signs - url: kiosk/kiosk-methods.md - - text: Set up a single-app kiosk - url: kiosk/kiosk-single-app.md - - text: Set up a multi-app kiosk for Windows 11 - url: kiosk/lock-down-windows-11-to-specific-apps.md - - text: Manage multi-user and guest devices - url: shared-devices-concepts.md + - text: Configure kiosks and restricted user experiences + url: assigned-access/index.md + - text: What is Assigned Access? + url: assigned-access/overview.md + - text: What is Shell Launcher? + url: assigned-access/shell-launcher/index.md + - text: "Quickstart: Configure a kiosk with Assigned Access" + url: assigned-access/quickstart-kiosk.md - title: Configure shared devices linkLists: diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md index 3f401a1137..a4b50f8b4f 100644 --- a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -13,7 +13,7 @@ ms.date: 08/05/2021 In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization). +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md). >[!WARNING] >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.