From 4a6faae90170a1d147d57436ab9b7195ad6122ae Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sun, 25 Feb 2024 15:01:28 -0500 Subject: [PATCH] Update Shell Launcher configuration file names --- ... => assigned-access-configuration-file.md} | 74 ++++++++--- ...d => shell-launcher-configuration-file.md} | 2 +- .../shell-launcher-configure.md | 124 ------------------ .../shell-launcher-quickstart-kiosk.md | 2 +- windows/configuration/assigned-access/toc.yml | 4 +- 5 files changed, 59 insertions(+), 147 deletions(-) rename windows/configuration/assigned-access/{create-assigned-access-configuration.md => assigned-access-configuration-file.md} (96%) rename windows/configuration/assigned-access/{create-shell-launcher-configuration.md => shell-launcher-configuration-file.md} (96%) diff --git a/windows/configuration/assigned-access/create-assigned-access-configuration.md b/windows/configuration/assigned-access/assigned-access-configuration-file.md similarity index 96% rename from windows/configuration/assigned-access/create-assigned-access-configuration.md rename to windows/configuration/assigned-access/assigned-access-configuration-file.md index a9c9d6f111..2b497f7baa 100644 --- a/windows/configuration/assigned-access/create-assigned-access-configuration.md +++ b/windows/configuration/assigned-access/assigned-access-configuration-file.md @@ -17,7 +17,7 @@ Let's start by looking at the basic structure of the XML file. - A configuration xml can have multiple `configs`. Each config associates a non-admin user account to a default profile Id - A profile has no effect if it's not associated to a user account -You can start your file by pasting the following XML code into a text editor, and saving the file as `filename.xml`. +You can start your file by pasting the following XML code into a text editor, and saving the file with an xml extension. For example, `kiosk.xml`. ::: zone pivot="windows-11" @@ -56,7 +56,7 @@ You can start your file by pasting the following XML code into a text editor, an xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" - xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config" + xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"> @@ -79,35 +79,71 @@ You can start your file by pasting the following XML code into a text editor, an ## Profiles node +An Assigned Access configuration file can contain one or more profiles. Each profile is identified by a unique identified `Profile Id`, for example: + +```xml + + + ... + + +``` + There are two types of profiles that you can specify in the XML: -- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. +- `AllAppList` is used to configure a restricted user experience. Users assigned this profile access the desktop with the specific apps on the Start menu +- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile don't access the desktop, but only the UWP application or Microsoft Edge running in full-screen -A lockdown profile section in the XML has the following entries: +### AllAppList profile -- [**Id**](#id) -- [**AllowedApps**](#allowedapps) -- [**StartPins**](#startpins) -- [**Taskbar**](#taskbar) +An `AllAppList` profile has the following properties: -A kiosk profile in the XML has the following entries: +::: zone pivot="windows-11" -- [**Id**](#id) -- [**KioskModeApp**](#kioskmodeapp) +- `Id` (required) +- `Name` (optional) +- `AllowedApps` +- `StartPins` +- `TaskbarLayout` + +::: zone-end + +::: zone pivot="windows-10" + +- `Id` (required) +- `Name` (optional) +- `AllowedApps` +- `StartLayout` +- `Taskbar` +- `FileExplorerNamespaceRestrictions` + +::: zone-end + +### KioskModeApp profile + +A `KioskModeApp` profile contains the following properties: + +- `Id` (required) +- `Name` (optional) +- `KioskModeApp` (required) + +Example: + +```xml + + + + + + +``` In the XML file, you define each profile with a globally unique identifier (GUID), which must be unique within the XML file. > [!TIP] > You can generate a GUID with the PowerShell cmdlet `New-Guid`. -```xml - - - ... - - -``` + A *profile node* contains the following properties: diff --git a/windows/configuration/assigned-access/create-shell-launcher-configuration.md b/windows/configuration/assigned-access/shell-launcher-configuration-file.md similarity index 96% rename from windows/configuration/assigned-access/create-shell-launcher-configuration.md rename to windows/configuration/assigned-access/shell-launcher-configuration-file.md index a50ca9e6c4..6015ddd860 100644 --- a/windows/configuration/assigned-access/create-shell-launcher-configuration.md +++ b/windows/configuration/assigned-access/shell-launcher-configuration-file.md @@ -5,7 +5,7 @@ ms.date: 02/12/2024 ms.topic: how-to --- -# Shell Launcher configuration XML examples +# Create an Shell Launcher configuration file This article provides practical examples of Shell Launcher XML configuration files. diff --git a/windows/configuration/assigned-access/shell-launcher-configure.md b/windows/configuration/assigned-access/shell-launcher-configure.md index aa6576dfb9..9f09a3fa1e 100644 --- a/windows/configuration/assigned-access/shell-launcher-configure.md +++ b/windows/configuration/assigned-access/shell-launcher-configure.md @@ -100,129 +100,6 @@ After you configure the profile containing the custom Shell Launcher setting, se ## Configure a custom shell using PowerShell -For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md). - -For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you'll want to change the script for your purposes. Save your script with the extension.ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -```powershell -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - return (enabled != 0); - } - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } -} -"@ - $type = Add-Type -TypeDefinition $source -PassThru - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - - write-host "Make sure Shell Launcher feature is enabled" - exit - } - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` ## default action, custom action, exit code @@ -247,5 +124,4 @@ To configure these actions with Shell Launcher CSP, use below syntax in the shel - ``` diff --git a/windows/configuration/assigned-access/shell-launcher-quickstart-kiosk.md b/windows/configuration/assigned-access/shell-launcher-quickstart-kiosk.md index 85b4fa909b..92c9c2b91b 100644 --- a/windows/configuration/assigned-access/shell-launcher-quickstart-kiosk.md +++ b/windows/configuration/assigned-access/shell-launcher-quickstart-kiosk.md @@ -63,7 +63,7 @@ After the settings are applied, reboot the device. A local user account named `A > [!div class="nextstepaction"] > Learn more how to create a Shell Launcher configuration file: > -> [Create a shell launcher configuration file](create-shell-launcher-configuration.md) +> [Create a Shell Launcher configuration file](create-shell-launcher-configuration.md) diff --git a/windows/configuration/assigned-access/toc.yml b/windows/configuration/assigned-access/toc.yml index 3c46238496..b3764d9b18 100644 --- a/windows/configuration/assigned-access/toc.yml +++ b/windows/configuration/assigned-access/toc.yml @@ -20,11 +20,11 @@ items: - name: Configure devices with Assigned Access href: assigned-access-configure.md - name: Create an Assigned Access configuration file - href: create-assigned-access-configuration.md + href: assigned-access-configuration-file.md - name: Configure devices with Shell Launcher href: shell-launcher-configure.md - name: Create a Shell Launcher configuration file - href: create-shell-launcher-configuration.md + href: shell-launcher-configuration-file.md - name: Find the AUMID of an installed app href: find-aumid.md - name: Use Shell Launcher to create a Windows client kiosk