From 428047c22848cbe7c7e4807a9181dae25244ff5e Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Sep 2021 15:36:28 -0400 Subject: [PATCH] win11 kiosk updates --- .../guidelines-for-assigned-access-app.md | 13 +- .../kiosk-additional-reference.md | 14 +- windows/configuration/kiosk-mdm-bridge.md | 7 +- windows/configuration/kiosk-methods.md | 33 ++- windows/configuration/kiosk-policies.md | 5 +- windows/configuration/kiosk-prepare.md | 224 ++++++------------ windows/configuration/kiosk-shelllauncher.md | 9 +- windows/configuration/kiosk-single-app.md | 127 +++++----- windows/configuration/kiosk-troubleshoot.md | 5 +- windows/configuration/kiosk-validate.md | 7 +- windows/configuration/kiosk-xml.md | 28 ++- .../lock-down-windows-10-to-specific-apps.md | 15 +- .../set-up-shared-or-guest-pc.md | 25 +- .../configuration/setup-digital-signage.md | 38 +-- 14 files changed, 223 insertions(+), 327 deletions(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index d24b76cd0c..2969e1dd6f 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,5 +1,5 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10) +title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 @@ -19,7 +19,8 @@ manager: dansimp **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. @@ -45,9 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -55,7 +56,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app >Kiosk Browser cannot access intranet websites. -**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). +**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) / Windows 11. 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps) @@ -162,7 +163,7 @@ Check the guidelines published by your selected app and set up accordingly. ## Develop your kiosk app -Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. +Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 67f49befe3..666ea49c71 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -1,5 +1,5 @@ --- -title: More kiosk methods and reference information (Windows 10) +title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -19,7 +19,8 @@ ms.topic: reference **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 ## In this section @@ -31,11 +32,8 @@ Topic | Description [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. -[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. -[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. -[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. - - - diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 73c8fdcc17..85ad833603 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -1,5 +1,5 @@ --- -title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -15,12 +15,13 @@ ms.date: 11/07/2018 ms.topic: article --- -# Use MDM Bridge WMI Provider to create a Windows 10 kiosk +# Use MDM Bridge WMI Provider to create a Windows client kiosk **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 9efa2b652d..ef90aa43f4 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -1,9 +1,9 @@ --- -title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) +title: Configure kiosks and digital signs on Windows desktop editions (Windows 10/11) ms.reviewer: manager: dansimp ms.author: greglin -description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions. +description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -18,21 +18,29 @@ ms.topic: article >[!WARNING] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: +**Applies to** -- **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. +- Windows 10 +- Windows 11 + +Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: + +- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. - A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. + A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. - ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png) + ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. - A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. + A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. - ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png) + ![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png) -Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + > [!NOTE] + > Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11. + +Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. @@ -48,11 +56,11 @@ There are several kiosk configuration methods that you can choose from, dependin If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). -- **Which edition of Windows 10 will the kiosk run?** +- **Which edition of Windows client will the kiosk run?** ![icon that represents Windows.](images/windows.png) - All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. + All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode is not available on Windows Home. - **Which type of user account will be the kiosk account?** @@ -110,5 +118,4 @@ Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-ap >[!NOTE] ->For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. - +>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 9f817f7581..df85323213 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -1,5 +1,5 @@ --- -title: Policies enforced on kiosk devices (Windows 10) +title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: @@ -21,7 +21,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windwos 11 diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index ba1aaa2b58..39121135bb 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -1,5 +1,5 @@ --- -title: Prepare a device for kiosk configuration (Windows 10) +title: Prepare a device for kiosk configuration (Windows 10/11) | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -19,7 +19,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 > [!WARNING] > For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. @@ -35,33 +36,33 @@ ms.topic: article For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: -Recommendation | How to ---- | --- -Hide update notifications
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. -Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`

**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.

To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. -Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time** -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled** -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +| Recommendation | How to | +| --- | --- | +|Hide update notifications
(New starting in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. | +| Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`

**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.

To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. | +| Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time** | +| Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled** | +| Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +| Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. | +| Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** | +| Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. | +| Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. | +| Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. | ## Enable logging Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) +:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: ## Automatic logon In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. > [!NOTE] -> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. +> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. > [!TIP] > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. @@ -107,147 +108,56 @@ The following table describes some features that have interoperability issues we > [!Note] > Where applicable, the table notes which features are optional that you can configure for assigned access. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FeatureDescription

Accessibility

Assigned access does not change Ease of Access settings.

-

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

- ---- - - - - - - - - - - - - - - - - - - - - -
Key combinationBlocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

-

 

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.

Key sequences blocked by assigned access

When in assigned access, some key combinations are blocked for assigned access users.

-

Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

-

Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Key combinationBlocked behavior for assigned access users

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows within the application currently open.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

LaunchMail

Open the default mail client.

Windows logo key

Open the Start screen.

-

 

-

Keyboard Filter settings apply to other standard accounts.

Key sequences blocked by Keyboard Filter

If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic.

-

Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education.

-

Power button

Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

-

For more information on removing the power button or disabling the physical power button, see Custom Logon.

Unified Write Filter (UWF)

UWFsettings apply to all users, including those with assigned access.

-

For more information, see Unified Write Filter.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

-

If you need to use assigned access API, see WEDL_AssignedAccess.

Welcome Screen

Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

-

For more information, see Custom Logon.

+- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: + | Key combination | Blocked behavior | + | --- | --- | + | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. | + | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. | + | Windows logo key + U | Open Ease of Access Center. | - +- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/) + +- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users. + + Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations. + + Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings). + + | Key combination | Blocked behavior for assigned access users | + | --- | --- | + | Alt+Esc | Cycle through items in the reverse order from which they were opened. | + | Ctrl+Alt+Esc | Cycle through items in the reverse order from which they were opened. | + | Ctrl+Esc | Open the Start screen. | + | Ctrl+F4 | Close the window. | + | Ctrl+Shift+Esc | Open Task Manager. | + | Ctrl+Tab | Switch windows within the application currently open. | + | LaunchApp1 | Open the app that is assigned to this key. | + | LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. | + | LaunchMail | Open the default mail client. | + | Windows logo key | Open the Start screen. | + + Keyboard Filter settings apply to other standard accounts. + +- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). + + [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education. + +- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access. + + For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). + +- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including those with assigned access. + + For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). + +- **WEDL_AssignedAccess class**: Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead. + + If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess). + +- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. + + For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). ## Testing your kiosk in a virtual machine (VM) @@ -257,8 +167,8 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. -![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png) +:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session is not selected, which means basic is used."::: To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. -![Do not select the connect button, use "close X" in the top corner](images/vm-kiosk-connect.png) \ No newline at end of file +:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Do not select the connect button. Use "close X" in the top corner to connect to a VM in basic session"::: diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 73e724bd75..5c54ed24d0 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -1,5 +1,5 @@ --- -title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -14,13 +14,14 @@ ms.localizationpriority: medium ms.topic: article --- -# Use Shell Launcher to create a Windows 10 kiosk +# Use Shell Launcher to create a Windows client kiosk **Applies to** - Windows 10 Ent, Edu +- Windows 11 -Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. +Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. >[!NOTE] >Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. @@ -30,7 +31,7 @@ Using Shell Launcher, you can configure a device that runs an application as the >- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies >- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies -You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. +You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10 version 1803+ / Windows 11, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. ## Differences between Shell Launcher v1 and Shell Launcher v2 diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4a123b3408..08a4c1d23e 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,5 +1,5 @@ --- -title: Set up a single-app kiosk (Windows 10) +title: Set up a single-app kiosk (Windows 10/11) description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 01/09/2019 +ms.date: 09/20/2021 ms.topic: article --- @@ -20,7 +20,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. @@ -35,11 +36,10 @@ You have several options for configuring your single-app kiosk. Method | Description --- | --- -[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.

This method is supported on Windows 10 Pro, Enterprise, and Education. -[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. -[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. -[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. - +[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.

This method is supported on Windows client Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows client Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro version 1709+, Enterprise, and Education / Windows 11. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro version 1709+, Enterprise, and Education / Windows 11. >[!TIP] >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). @@ -52,11 +52,14 @@ Method | Description ## Set up a kiosk in local Settings ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS edition: +> - Windows client Pro, Ent, Edu > ->Account type: Local standard user +>Account type: +> - Local standard user You can use **Settings** to quickly configure one or a few devices as a kiosk. @@ -68,11 +71,9 @@ When your kiosk is a local device that is not managed by Active Directory or Azu ![Screenshot of automatic sign-in setting.](images/auto-signin.png) -### Instructions for Windows 10, version 1809 +### Windows 10 version 1809 / Windows 11 -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time. - -**To set up assigned access in PC settings** +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: 1. Go to **Start** > **Settings** > **Accounts** > **Other users**. @@ -94,9 +95,9 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. -### Instructions for Windows 10, version 1803 and earlier +### Instructions for Windows 10 version 1803 and earlier -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) ![The Set up assigned access page in Settings.](images/kiosk-settings.png) @@ -114,22 +115,19 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - - ## Set up a kiosk using Windows PowerShell ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS edition: +> - Windows client Pro, Ent, Edu > ->Account type: Local standard user +>Account type: +> - Local standard user ![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) @@ -144,28 +142,12 @@ Before you run the cmdlet: 5. Log out as the Assigned Access user account. 6. Log in as administrator. -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. +To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. -**Configure assigned access by AppUserModelID and user name** - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` -**Configure assigned access by AppUserModelID and user SID** - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` -**Configure assigned access by app name and user name** - -``` -Set-AssignedAccess -AppName -UserName -``` -**Configure assigned access by app name and user SID** - -``` -Set-AssignedAccess -AppName -UserSID -``` +- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId -UserName ` +- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId -UserSID ` +- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName -UserName ` +- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID ` > [!NOTE] > To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. @@ -174,22 +156,27 @@ Set-AssignedAccess -AppName -UserSID [Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**). -To remove assigned access, using PowerShell, run the following cmdlet. +To remove assigned access, using PowerShell, run the following cmdlet: -``` +```powershell Clear-AssignedAccess ``` - ## Set up a kiosk using the kiosk wizard in Windows Configuration Designer ->App type: UWP or Windows desktop application +>App type: +> - UWP +> - Windows desktop application > ->OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +>OS edition: +> - Windows 10 Pro version 1709+ for UWP only; Ent, Edu for both app types +> - Windows 11 > ->Account type: Local standard user, Active Directory +>Account type: +> - Local standard user +> - Active Directory ![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) @@ -202,12 +189,10 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - + - + @@ -222,36 +207,31 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - [Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - - - ## Set up a kiosk or digital sign using Microsoft Intune or other MDM service ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro (version 1709), Ent, Edu +>OS edition: +> - Windows 10 Pro version 1709+, Ent, Edu +> - Windows 11 > ->Account type: Local standard user, Azure AD +>Account type: +> - Local standard user +> - Azure AD Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. >[!TIP] ->Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). +>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). -To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. +To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. @@ -261,7 +241,6 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** +`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index e34bee8204..7591e5d1bb 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot kiosk mode issues (Windows 10) +title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: @@ -20,7 +20,8 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 ## Single-app kiosk issues diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 13ba945753..ca90b1212e 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -1,6 +1,6 @@ --- -title: Validate kiosk configuration (Windows 10) -description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education. +title: Validate kiosk configuration (Windows 10/11) +description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp @@ -20,7 +20,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 36dd8ce054..59612cdcd1 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -1,6 +1,6 @@ --- -title: Assigned Access configuration kiosk XML reference (Windows 10) -description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10. +title: Assigned Access configuration kiosk XML reference (Windows 10/11) +description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: manager: dansimp @@ -21,7 +21,8 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windwos 11 ## Full XML sample @@ -255,9 +256,10 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## Global Profile Sample XML -Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. +Global Profile is currently supported in Windows 10 version 2004 / Windows 11. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. + +This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in. -This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml [!NOTE] ->Updated for Windows 10, version 1903 and later. -Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. +>Updated for Windows 10, version 1903+. + +The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release.: ```xml @@ -814,7 +817,8 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ``` -Here is the schema for new features introduced in Windows 10 1809 release +The following XML is the schema for new features introduced in Windows 10 1809 release: + ```xml ``` -Schema for Windows 10, version 1909 and later +The following XML is the schema for Windows 10 version 1909+: + ```xml ``` -To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. + ```xml [!NOTE] +> Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11. + A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. The following table lists changes to multi-app kiosk in recent updates. -| New features and improvements | In update | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| - Configure [a single-app kiosk profile](#profile) in your XML file

- Assign [group accounts to a config profile](#config-for-group-accounts)

- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | +| New features and improvements | In update | +| --- | ---| +| - Configure [a single-app kiosk profile](#profile) in your XML file

- Assign [group accounts to a config profile](#config-for-group-accounts)

- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | | - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

- [Automatically launch an app](#allowedapps) when the user signs in

- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | >[!WARNING] @@ -43,7 +46,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows). +To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows). diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index ed5c4ee3a3..cd316111c2 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -1,6 +1,6 @@ --- -title: Set up a shared or guest PC with Windows 10 (Windows 10) -description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios. +title: Set up a shared or guest PC with Windows 10/11 (Windows 10/11) +description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows client for shared use scenarios. keywords: ["shared pc mode"] ms.prod: w10 ms.mktglfcycl: manage @@ -13,26 +13,27 @@ ms.reviewer: manager: dansimp --- -# Set up a shared or guest PC with Windows 10 +# Set up a shared or guest PC with Windows 10/11 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. +Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise. > [!NOTE] -> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. +> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. ## Shared PC mode concepts -A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. +A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. ### Account models -It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. +It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. ### Account management -When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. +When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. ### Maintenance and sleep Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. @@ -73,7 +74,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | | Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. | | Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) | -| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | +| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | | Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | @@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -117,7 +118,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - + ```powershell $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" $sharedPC.EnableSharedPCMode = $True diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index 80bbd5b7da..15c04acb08 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -1,5 +1,5 @@ --- -title: Set up digital signs on Windows 10 (Windows 10) +title: Set up digital signs on Windows 10/11 (Windows 10/11) description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: @@ -11,31 +11,30 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 09/20/2021 ms.topic: article --- -# Set up digital signs on Windows 10 - +# Set up digital signs on Windows 10/11 **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. -For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content. >[!TIP] >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. >[!NOTE] >If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). - -This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) @@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on 3. Open Windows Configuration Designer and select **Provision kiosk devices**. 4. Enter a friendly name for the project, and select **Finish**. 5. On **Set up device**, select **Disabled**, and select **Next**. -6. On **Set up network**, enable network setup. +6. On **Set up network**, enable network setup: - Toggle **On** wireless network connectivity. - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. 7. On **Account management**, select **Disabled**, and select **Next**. -8. On **Add applications**, select **Add an application**. +8. On **Add applications**, select **Add an application**: - For **Application name**, enter `Kiosk Browser`. - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. - The **Package family name** is populated automatically. - Select **Next**. 9. On **Add certificates**, select **Next**. -10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage: - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - For **App type**, select **Universal Windows App**. - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. -12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu: - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. - In **BlockedUrl**, enter `*`. - In **DefaultUrl**, enter `https://www.contoso.com/menu`. @@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on 20. Copy the .ppkg file to a USB drive. 21. Attach the USB drive to the device that you want to use for your digital sign. 22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. - - - - - - - - - - - - -
step oneset up device

Enable device setup if you want to configure settings on this page.

If enabled:

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		device name, upgrade to enterprise, shared use, remove pre-installed software
step oneset up device

Enable device setup if you want to configure settings on this page.

If enabled:

Enter a name for the device.

(Optional) Select a license file to upgrade Windows client to a different edition. See the permitted upgrades.

Toggle Configure devices for shared use off. This setting optimizes Windows client for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		device name, upgrade to enterprise, shared use, remove pre-installed software
step two set up network

Enable network setup if you want to configure settings on this page.

If enabled:

Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type
step three account management

Enable account management if you want to configure settings on this page.

If enabled:

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Active Directory, Azure AD, or create a local admin account
step three account management

Enable account management if you want to configure settings on this page.

If enabled:

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

Warning: You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Active Directory, Azure AD, or create a local admin account
step four add applications

You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps

Warning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. 		add an application
step five add certificates

To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.		add a certificate
step six Configure kiosk account and app

You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)

In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		The 'Configure kiosk common settings' button as displayed while provisioning a kiosk device in Windows Configuration Designer.