deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

move

Browse Source
This commit is contained in:
Paolo Matarazzo
2025-01-14 17:15:21 -05:00
parent 63444af0a9
commit 3eb07e7000
18 changed files with 1739 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/configuration/custom-logon/images/customlogoncad.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

142
windows/configuration/custom-logon/index.md Normal file
View File

@ -0,0 +1,142 @@
---
title: Custom Logon
description: Custom Logon
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: aaf4ddd3-eac4-4c60-90c8-38837078c43b
author: sydbruck
ms.author: sybruckm
ms.service: windows-iot
ms.subservice: iot
ms.date: 03/05/2024
ms.topic: article
---
# Custom Logon
You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers).
## Requirements
Custom Logon can be enabled on:
- Windows 10 Enterprise
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
## Terminology
**Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line.
**Configure:** To customize the setting or subsettings.
**Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511.
**Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later.
## Turn on Custom Logon
Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied.
The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps:
### Turn on Custom Logon in Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
### Turn on Custom Logon using DISM
1. Open a command prompt with administrator rights.
1. Enable the feature using the following command.
```cmd
dism /online /enable-feature /featureName:Client-EmbeddedLogon
```
## Configure Custom Logon
### Configure Custom Logon settings using Unattend
You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon.
The following example shows how to disable all Welcome screen UI elements and the **Switch user** button.
```xml
<settings pass="specialize">
<component name="Microsoft-Windows-Embedded-EmbeddedLogon" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BrandingNeutral>17</BrandingNeutral>
<AnimationDisabled>1</AnimationDisabled>
<NoLockScreen>1</NoLockScreen>
<UIVerbosityLevel>1</UIVerbosityLevel>
<HideAutoLogonUI>1</HideAutoLogonUI>
</component>
</settings>
```
### Remove buttons from Logon screen
To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key:
```text
HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon
```
1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon).
1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window.
1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**.
1. In the right pane, right click on **BrandingNeutral** and select **Modify**.
1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes.
> [!NOTE]
> Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value.
The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**.
| Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)|
|--------|------------|----|---|
| Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1|
| Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2|
| Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4|
| Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8|
| Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16|
|Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32|
In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI.
![custom logon screen](images/customlogoncad.jpg)
You can remove the Wireless UI option from the Welcome screen by using Group Policy.
### Remove Wireless UI from Logon screen
You use the following steps to remove Wireless UI from the Welcome screen
1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**.
1. Double-tap or click **Do not display network selection UI**.
## Additional Customizations
The following table shows additional customizations that can be made using registry keys.
|Action |Path |Registry Key and Value |
|---------|---------|---------|
|Hide Autologon UI |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideAutoLogonUI = 1`|
|Hide First Logon Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideFirstLogonAnimation = 1` |
|Disable Authentication Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |`AnimationDisabled = 1` |
|Disable Lock Screen | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1` |
## Related articles
- [Troubleshooting Custom Logon](troubleshooting-custom-logon.md)
- [Unbranded Boot](unbranded-boot.md)
- [Shell Launcher](shell-launcher.md)

119
windows/configuration/custom-logon/troubleshoot.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Troubleshooting Custom Logon
description: Troubleshooting Custom Logon
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 5763E187-D09E-415D-B73C-BDD6BAB67E04
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/02/2017
ms.topic: article
---
# Troubleshooting Custom Logon
This section highlights some common issues that you may encounter when using Custom Logon.
## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate
This can occur when your device is configured to require a password when waking up from a sleep state.
### To disable password protection on wake-up
1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes:
1. At an administrator command prompt, type the following command:
```cmd
uwfmgr.exe filter disable
```
1. To restart the device, type the following command:
```cmd
uwfmgr.exe restart
```
1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading.
1. Under the **Power Options** heading, select **Require a password on wake up**.
1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Dont require a password**.
1. If you have disabled write filters, perform the following steps to enable them again:
1. At an administrator command prompt, type the following command:
```cmd
uwfmgr.exe filter enable
```
1. To restart the device, type the following command:
```cmd
uwfmgr.exe restart
```
## The device displays a black screen during setup
Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup.
## The device displays a black screen when Ctrl+Alt+Del is pressed
**HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
## The device displays a black screen when Windows key + L is used to lock the device
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR).
> [!WARNING]
> When the BSDR screen is disabled, restarting or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users are not given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data.
## The device displays a black screen when the device is suspended and then resumed
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake up.
### To disable password protection on wake up
1. In **Control Panel**, select **Power Options**.
1. In the **Power Options** item, select **Require a password on wake up**.
1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Dont require a password**.
### The device displays a black screen when a password expiration screen is displayed
**HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire.
### To set a password to never expire on an individual user account
1. On your device, open a command prompt with administrator privileges.
1. Type the following, replacing *&lt;accountname&gt;* with the name of the account you want to remove the password expiration from.
```cmd
net accounts <accountname> /expires:never
```
### To set passwords to never expire on all user accounts
1. On your device, open a command prompt with administrator privileges.
1. Type the following
```cmd
net accounts /MaxPWAge:unlimited
```
## Related articles
- [Custom Logon](custom-logon.md)
- [Complementary features to Custom Logon](complementary-features-to-custom-logon.md)

52
windows/configuration/shell-launcher/browser-support.md Normal file
View File

@ -0,0 +1,52 @@
---
title: Browser Support
author: TerryWarwick
ms.author: twarwick
ms.date: 03/30/2023
ms.topic: article
ms.service: windows-iot
ms.subservice: iot
description: Learn about browser support in Kiosk Mode
keywords: Lockdown, Kiosks, Kiosk Mode, Browser
---
# Browser Support
Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
## Microsoft Edge Kiosk Mode
> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
## Internet Explorer 11
[Internet Explorer 11](/internet-explorer/internet-explorer) will be considered a legacy browser, in subsequent releases.
In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps as well as modern web apps in a single browser.
> [!NOTE]
> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
>
> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
## Supported Versions
| Browser | ![Internet Explorer 11](./media/IE11.png) | ![Microsoft Edge Legacy](./media/Microsoft-Edge-Legacy.png) | ![New Microsoft Edge](./media/Microsoft-Edge-New.png) |
|--|--|--|--|
| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS EOL | Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
## Additional Resources
* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)

352
windows/configuration/shell-launcher/index.md Normal file
View File

@ -0,0 +1,352 @@
---
title: Shell Launcher
description: Shell Launcher
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: c65f1400-9d2a-406e-8b43-74eaafb0ccae
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.date: 06/07/2018
ms.topic: article
---
# Shell Launcher
Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
You can also configure Shell Launcher to launch different shell applications for different users or user groups.
There are a few exceptions to the applications and executables you can use as a custom shell:
- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
- You can't use a Universal Windows app as a custom shell.
- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
> [!NOTE]
> You cannot configure both Shell Launcher and assigned access on the same system.
>
> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesnt need to handle the automatic startup of other applications and services.
Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
> [!NOTE]
>
> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
>
> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and can run other apps in full screen on users demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
## Requirements
Windows 10 Enterprise or Windows 10 Education.
## Terminology
- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
- **Configure:** To customize the setting or subsettings.
- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
## Turn on Shell Launcher
Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
### Enable Shell Launcher using Control Panel
1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
1. In the **Programs and Features** window, select **Turn Windows features on or off**.
1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Select **Close** to close the **Windows Features** window.
> [!NOTE]
> Turning on Shell Launcher does not require a device restart.
### Enable Shell Launcher by calling WESL_UserSetting
1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
### Enable Shell Launcher using DISM
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
1. Create a new directory.
```CMD
md c:\wim
```
1. Mount the image.
```CMD
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature.
```CMD
dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
```
1. Commit the change.
```CMD
dism /unmount-wim /MountDir:c:\wim /Commit
```
### Enable Shell Launcher using Windows Configuration Designer
The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
Use the following steps to create a provisioning package that contains the ShellLauncher settings.
1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
## Configure Shell Launcher
There are two ways you can configure Shell Launcher:
1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
You can configure the following options for Shell Launcher:
- Enable or disable Shell Launcher.
- Specify a shell configuration for a specific user or group.
- Remove a shell configuration for a specific user or group.
- Change the default shell configuration.
- Get information on a shell configuration for a specific user or group.
Any changes don't take effect until a user signs in.
## Launch different shells for different user accounts
By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
## Perform an action when the shell exits
When a custom shell exits, Shell Launcher can perform one of four actions:
|Action|Description|
|:---:|:---|
|0|Restart the shell.|
|1|Restart the device.|
|2|Shut down the device.|
|3|Do nothing.|
> [!IMPORTANT]
> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
### Default return code action
You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
### Map the exit code to a Shell Launcher action
Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
- restart the device (1) when the shell returns an exit code of value -1
- restart the shell (0) when the shell returns an exit code of value 0
- do nothing (3) when the shell returns an exit code of value 1
- shut down the device (2) when the shell returns an exit code of value 255
Your custom return code action mapping would look like this:
|Exit code|Action|
|:----:|----|
|-1|1 (restart the device)|
|0|0 (restart the shell)|
|1|3 (do nothing)|
|255|2 (shut down the device)|
## Set your custom shell
Modify the following PowerShell script as appropriate and run the script on the device.
```PowerShell
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn&#39;t have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
> [!NOTE]
> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
## Shell Launcher user rights
A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
> [!WARNING]
> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
## Related articles
- [Unbranded Boot](unbranded-boot.md)
- [Custom Logon](custom-logon.md)
- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)

44
windows/configuration/shell-launcher/multi-app-kiosk.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Multi-App Kiosk
author: TerryWarwick
ms.author: twarwick
ms.date: 08/16/2023
ms.topic: article
ms.service: windows-iot
ms.subservice: iot
description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
keywords: Lockdown, Multi-App, Kiosk
---
# Assigned access multi-app kiosk
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
> [!NOTE]
> Multi-app kiosk mode is not available for Windows 11 IoT Enterprise, version 21H2 or 22H2. Please refer to [What's new for subsequent releases](../whats-new/Release-History.md#windows-11-iot-enterprise) for information about its return.
>
> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
## Benefits of using a multi-app kiosk
The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they dont need to access.
A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
## Configuring your multi-app kiosk
* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
> [!NOTE]
>
> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that will affect all non-administrator users on the device.
## Additional Resources
* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

43
windows/configuration/shell-launcher/single-app-kiosk.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Assigned access Single-App Kiosk
author: TerryWarwick
ms.author: twarwick
ms.date: 03/30/2023
ms.topic: article
ms.service: windows-iot
ms.subservice: iot
description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
keywords: Kiosk Mode, Single-App
---
# Assigned access single-app kiosk
A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
> [!NOTE]
>
> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Benefits of using a single-app kiosk
A single-app kiosk is ideal for public use. Using [shell launcher](./Shell-Launcher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
## Configuring your single-app kiosks
You have several options for configuring your single-app kiosk.
* [Settings App](/windows/configuration/kiosk-single-app#local)
* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
> [!TIP]
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
## Additional Resources
* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

24
windows/configuration/shell-launcher/toc.yml Normal file
View File

@ -0,0 +1,24 @@
items:
- name: Shell Launcher
items:
- name: Overview
href: shell-launcher.md
- name: WMI Provider Reference
items:
- name: Class WESL_UserSetting
href: wesl-usersetting.md
- name: GetCustomShell
href: wesl-usersettinggetcustomshell.md
- name: GetDefaultShell
href: wesl-usersettinggetdefaultshell.md
- name: IsEnabled
href: wesl-usersettingisenabled.md
- name: RemoveCustomShell
href: wesl-usersettingremovecustomshell.md
- name: SetCustomShell
href: wesl-usersettingsetcustomshell.md
- name: SetDefaultShell
href: wesl-usersettingsetdefaultshell.md
- name: SetEnabled
href: wesl-usersettingsetenabled.md

150
windows/configuration/shell-launcher/wedl-assignedaccess.md Normal file
View File

@ -0,0 +1,150 @@
---
title: WEDL\_AssignedAccess
description: WEDL\_AssignedAccess
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 2be8d294-db13-4494-bd5f-ba97ed89528e
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WEDL\_AssignedAccess
This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
## Syntax
```powershell
class WEDL_AssignedAccess {
[Key] string UserSID;
[Read, Write] string AppUserModelId;
[Read] sint32 Status;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
This class contains no methods.
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. |
| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. |
| **Status** | Boolean | none | Indicates the current status of the assigned access configuration |
| Value | Description |
|:-----:|-------------|
| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. |
| 1 | Assigned access is enabled. |
| 0x100 | UserSID error: cannot find the account. |
| 0x103 | UserSID error: the account profile does not exist. |
| 0x200 | AppUserModelID error: cannot find the Windows app. |
| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. |
| 0xffffffff | Unspecified error.|
### Remarks
Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in.
## Example
The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account.
```powershell
#
#---Define variables---
#
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Define the assigned access account.
# To use a different account, change $AssignedAccessAccount to a user account that is present on your device.
$AssignedAccessAccount = "KioskAccount"
# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator.
# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch.
# The Windows app must be installed for the account.
$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
#
#---Define helper functions---
#
function Get-UsernameSID($AccountName) {
# This function retrieves the SID for a user account on a machine.
# This function does not check to verify that the user account actually exists.
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
#
#---Set up the new assigned access account---
#
# Get the SID for the assigned access account.
$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount)
# Check to see if an assigned access account is already set up, and if so, clear it.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time.
$AssignedAccessConfig.delete();
}
# Configure assigned access to launch the specified Windows app for the specified account.
Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{
UserSID = $AssignedAccessUserSID;
AppUserModelId = $AppAUMID
} | Out-Null;
# Confirm that the settings were created properly.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
"Set up assigned access for the " + $AssignedAccessAccount + " account."
" UserSID = " + $AssignedAccessConfig.UserSid
" AppModelId = " + $AssignedAccessConfig.AppUserModelId
} else {
"Could not set up assigned access account."
}
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |

183
windows/configuration/shell-launcher/wesl-usersetting.md Normal file
View File

@ -0,0 +1,183 @@
---
title: WESL_UserSetting
description: WESL_UserSetting
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 73c5bb46-bf9e-4657-a5ae-88dbd14b79e8
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/02/2017
ms.topic: article
---
# WESL_UserSetting
This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits.
## Syntax
```powershell
class WESL_UserSetting {
[read, write, Required] string Sid;
[read, write, Required] string Shell;
[read, write] Sint32 CustomReturnCodes[];
[read, write] Sint32 CustomReturnCodesAction[];
[read, write] sint32 DefaultAction;
[Static] uint32 SetCustomShell(
[In, Required] string Sid,
[In, Required] string Shell,
[In] sint32 CustomReturnCodes[],
[In] sint32 CustomReturnCodesAction[],
[In] sint32 DefaultAction
);
[Static] uint32 GetCustomShell(
[In, Required] string Sid,
[Out, Required] string Shell,
[Out, Required] sint32 CustomReturnCodes[],
[Out, Required] sint32 CustomReturnCodesAction[],
[Out, Required] sint32 DefaultAction
);
[Static] uint32 RemoveCustomShell(
[In, Required] string Sid
);
[Static] uint32 GetDefaultShell(
[Out, Required] string Shell,
[Out, Required] sint32 DefaultAction
);
[Static] uint32 SetDefaultShell(
[In, Required] string Shell,
[In, Required] sint32 DefaultAction
);
[Static] uint32 IsEnabled(
[Out, Required] boolean Enabled
);
[Static] uint32 SetEnabled(
[In, Required] boolean Enabled);
);
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
| Methods | Description |
|---------|-------------|
| [WESL_UserSetting.SetCustomShell](wesl-usersettingsetcustomshell.md) | Configures Shell Launcher for a specific user or group, based on SID. |
| [WESL_UserSetting.GetCustomShell](wesl-usersettinggetcustomshell.md) | Retrieves the Shell Launcher configuration for a specific user or group, based on the SID. |
| [WESL_UserSetting.RemoveCustomShell](wesl-usersettingremovecustomshell.md) | Removes a Shell Launcher configuration for a specific user or group, based on the SID. |
| [WESL_UserSetting.GetDefaultShell](wesl-usersettinggetdefaultshell.md) | Retrieves the default Shell Launcher configuration. |
| [WESL_UserSetting.SetDefaultShell](wesl-usersettingsetdefaultshell.md) | Sets the default Shell Launcher configuration. |
| [WESL_UserSetting.IsEnabled](wesl-usersettingisenabled.md) | Retrieves a value that indicates if Shell Launcher is enabled or disabled. |
| [WESL_UserSetting.SetEnabled](wesl-usersettingsetenabled.md) | Enables or disables Shell Launcher. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Sid** | string | [read, write, required] | User or group SID. |
| **shell** | string | [read, write, required] | The application to start as the shell.</br>The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.</br>Any spaces in the **shell** property must be part of a quote-delimited string. |
| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. |
| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.</br>The possible actions are:</br>0 - Restart the shell.</br>1 - Restart the device.</br>2 - Shut down the device.</br>3 - Do nothing. |
| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.</br>The possible actions are defined as follows:</br>0 - Restart the shell.</br>1 - Restart the device.</br>2 - Shut down the device.</br>3 - Do nothing. |
### Remarks
Only one **WESL_UserSetting** instance exists on a device with Shell Launcher.
Shell Launcher uses the custom configuration defined for the SID of the user currently signed in, if one exists. Otherwise, Shell Launcher uses a custom configuration defined for a group SID that the user is a member of, if any exist. If multiple group custom configurations for the user exist, Shell Launcher uses the first valid configuration it finds. The search order is not defined.
If there is no custom configuration for the users SID or any group SIDs that the user is a member of, Shell Launcher uses the default configuration.
You can find the SID for a user and any groups that the user is a member of by using the [whoami](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771299(v=ws.10)) command-line tool.
## Example
The following Windows PowerShell script demonstrates how to add and remove custom shell configurations for Shell Launcher by using the Windows Management Instrumentation (WMI) providers for Shell Launcher.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples
# Set the command prompt as the default shell, and restart the device if it's closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if it's closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [Shell Launcher](shell-launcher.md)

86
windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md Normal file
View File

@ -0,0 +1,86 @@
---
title: WESL_UserSetting.GetCustomShell
description: WESL_UserSetting.GetCustomShell
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 7bd2b50c-d566-4688-8fbd-1ea0197c1cde
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.GetCustomShell
This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 GetCustomShell (
[In, Required] string Sid,
[Out, Required] string Shell,
[Out, Required] sint32 CustomReturnCodes[],
[Out, Required] sint32 CustomReturnCodesAction[],
[Out, Required] sint32 DefaultAction
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
**Shell**</br>\[out, required\] The application or executable that Shell Launcher starts as the shell.
**CustomReturnCodes**</br>\[out, required\] An array of custom return codes returned by the shell application.
**CustomReturnCodesAction**</br>\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
**DefaultAction**</br>\[out, required\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:------:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application.
If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

66
windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md Normal file
View File

@ -0,0 +1,66 @@
---
title: WESL_UserSetting.GetDefaultShell
description: WESL_UserSetting.GetDefaultShell
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 26dc7e10-6e89-44e0-aec2-322676e8b2d1
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.GetDefaultShell
This method retrieves the default Shell Launcher configuration.
## Syntax
```powershell
[Static] uint32 GetDefaultShell (
[Out, Required] string Shell,
[Out, Required] sint32 DefaultAction
);
```
## Parameters
**Shell**</br>\[out, required\] The application or executable that Shell Launcher starts as the shell.
**DefaultAction**</br>\[out, required\] The default action Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

50
windows/configuration/shell-launcher/wesl-usersettingisenabled.md Normal file
View File

@ -0,0 +1,50 @@
---
title: WESL_UserSetting.IsEnabled
description: WESL_UserSetting.IsEnabled
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 567f57b5-f9c8-4129-8279-dd351028df5d
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.IsEnabled
This method retrieves a value that indicates if Shell Launcher is enabled or disabled.
## Syntax
```powershell
[Static] uint32 IsEnabled(
[Out, Required] boolean Enabled
);
```
## Parameters
**Enabled**</br>\[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

54
windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md Normal file
View File

@ -0,0 +1,54 @@
---
title: WESL_UserSetting.RemoveCustomShell
description: WESL_UserSetting.RemoveCustomShell
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 161eb289-e3b5-4d16-b367-f79f2b90f291
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.RemoveCustomShell
This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 RemoveCustomShell (
[In, Required] string Sid
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must restart your device for the changes to take effect.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

86
windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md Normal file
View File

@ -0,0 +1,86 @@
---
title: WESL_UserSetting.SetCustomShell
description: WESL_UserSetting.SetCustomShell
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 09fa040b-0fa1-4886-bfdd-8614eead0da8
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.SetCustomShell
This method configures Shell Launcher for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 SetCustomShell (
[In, Required] string Sid,
[In, Required] string Shell,
[In] sint32 CustomReturnCodes[],
[In] sint32 CustomReturnCodesAction[],
[In] sint32 DefaultAction
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
**Shell**</br>\[in, required\] The application or executable that Shell Launcher starts as the shell.
**CustomReturnCodes**</br>\[in\] An array of custom return codes that can be returned by the shell application.
**CustomReturnCodesAction**</br>\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
**DefaultAction**</br>\[In\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell.|
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application.
If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

66
windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md Normal file
View File

@ -0,0 +1,66 @@
---
title: WESL_UserSetting.SetDefaultShell
description: WESL_UserSetting.SetDefaultShell
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: fb4040bb-7cf2-4644-bf0f-d7d0274dd080
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.SetDefaultShell
This method sets the default Shell Launcher configuration.
## Syntax
```powershell
[Static] uint32 SetDefaultShell (
[In, Required] string Shell,
[In, Required] sint32 DefaultAction
);
```
## Parameters
**Shell**</br>\[in, required\] The application or executable that Shell Launcher starts as the shell.
**DefaultAction**</br>\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-------:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

56
windows/configuration/shell-launcher/wesl-usersettingsetenabled.md Normal file
View File

@ -0,0 +1,56 @@
---
title: WESL_UserSetting.SetEnabled
description: WESL_UserSetting.SetEnabled
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 8dc373fe-37f9-45ca-bb0a-38f0e54feef1
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 05/20/2024
ms.topic: article
---
# WESL_UserSetting.SetEnabled
This method enables or disables Shell Launcher.
## Syntax
```powershell
[Static] uint32 SetEnabled(
[In, Required] boolean Enabled
);
```
## Parameters
**Enabled**</br>\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon**. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher.
Enabling or disabling Shell Launcher does not take effect until a user signs in.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](shell-launcher.md)

166
windows/configuration/unbranded-boot/index.md Normal file
View File

@ -0,0 +1,166 @@
---
title: Unbranded Boot
description: Unbranded Boot
author: TerryWarwick
ms.author: twarwick
ms.service: windows-iot
ms.subservice: iot
ms.date: 09/10/2024
ms.topic: reference
---
# Unbranded Boot
You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot.
> [!IMPORTANT]
> The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.
## Requirements
Unbranded Boot can be enabled on:
- Windows 10 Enterprise
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
## Terminology
- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line.
- **Configure:** To customize the setting or subsettings.
- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511.
- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
## Turn on Unbranded Boot settings
Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
### Turn on Unbranded Boot by using Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Restart your device to apply the changes.
## Configure Unbranded Boot settings at runtime using BCDEdit
1. Open a command prompt as an administrator.
1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
```cmd
bcdedit.exe -set {globalsettings} advancedoptions false
```
1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu.
```cmd
bcdedit.exe -set {globalsettings} optionsedit false
```
1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup.
```cmd
bcdedit.exe -set {globalsettings} bootuxdisabled on
```
1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen.
```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on
```
## Configure Unbranded Boot using Unattend
You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp.
### Unbranded Boot settings
The following table shows Unbranded Boot settings and their values.
| Setting | Description | Value |
|---------|-------------|-------|
| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. |
| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. |
| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. |
| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. |
| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. |
| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. |
## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM)
You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup.
1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
1. In the Available customizations page, select **Runtime settings** &gt; **SMISettings** and then set the value for the boot screen settings. The following values are just examples.
- **HideAllBootUI**=FALSE
- **HideBootLogo**=FALSE
- **HideBootStatusIndicator**=TRUE
- **HideBootStatusMessage**=TRUE
- **CrashDumpEnabled**=Full dump
> [!TIP]
> For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings.
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
1. Create a new directory.
```cmd
md c:\wim
```
1. Mount the image.
```cmd
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature.
```cmd
dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
```
1. Commit the change.
```cmd
dism /unmount-wim /MountDir:c:\wim /Commit
```
In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
![unbranded boot screen](images/boot.jpg)
## Replace the startup logo
The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
## Suppress Errors During Boot
Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
1. Open a command prompt as an administrator.
1. Run the following command to suppress error screens during boot.
```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on
```
## Related articles
- [Custom Logon](custom-logon.md)