From 6250c359ce61b2643fabab38cbef74a13588f42e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 5 Feb 2024 09:04:31 -0500 Subject: [PATCH] Update image source paths and include files in configuration files --- .../windows/edu-take-a-test-kiosk-mode.md | 24 +-- {includes => images}/insider.png | Bin includes/configure/powershell-wmi-bridge-1.md | 17 +++ includes/configure/powershell-wmi-bridge-2.md | 9 ++ includes/insider-note.md | 2 +- .../configuration/kiosk/quickstart-kiosk.md | 143 ------------------ .../kiosk/quickstart-restricted-experience.md | 15 +- 7 files changed, 37 insertions(+), 173 deletions(-) rename {includes => images}/insider.png (100%) create mode 100644 includes/configure/powershell-wmi-bridge-1.md create mode 100644 includes/configure/powershell-wmi-bridge-2.md diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index 79b60c3c9e..9d7ab29538 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -68,7 +68,6 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -85,7 +84,7 @@ Create a provisioning package using the Set up School PCs app, configuring the s ### Create a provisioning package using Windows Configuration Designer -[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: +[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)] | Setting | |--------| @@ -99,22 +98,11 @@ Create a provisioning package using the Set up School PCs app, configuring the s :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. +[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)] #### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) -Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). - -> [!TIP] -> PowerShell scripts can be executed as scheduled tasks via Group Policy. - -> [!IMPORTANT] -> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. -> -> To test a PowerShell script, you can: -> 1. [Download the psexec tool](/sysinternals/downloads/psexec) -> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session +[!INCLUDE [powershell-wmi-bridge-1](../../includes/configure/powershell-wmi-bridge-1.md)] Edit the following sample PowerShell script to: @@ -171,6 +159,8 @@ $cimObject.HideFastUserSwitching = 1 Set-CimInstance -CimInstance $cimObject ``` +[!INCLUDE [powershell-wmi-bridge-2](../../includes/configure/powershell-wmi-bridge-2.md)] + #### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win) To create a local account, and configure Take a Test in kiosk mode using the Settings app: @@ -189,7 +179,7 @@ To create a local account, and configure Take a Test in kiosk mode using the Set 1. Under **Test taking settings** select the options you want to enable during the test - To enable printing, select **Require printing** - > [!NOTE] + > [!NOTE] > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option. - To enable teachers to monitor screens, select **Allow screen monitoring** @@ -198,7 +188,7 @@ To create a local account, and configure Take a Test in kiosk mode using the Set 1. To take the test, a student must sign in using the test-taking account selected in step 4 :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true"::: - > [!NOTE] + > [!NOTE] > To sign-in with a local account on a device that is joined to Microsoft Entra ID or Active Directory, you must prefix the username with either `\` or `.\`. --- diff --git a/includes/insider.png b/images/insider.png similarity index 100% rename from includes/insider.png rename to images/insider.png diff --git a/includes/configure/powershell-wmi-bridge-1.md b/includes/configure/powershell-wmi-bridge-1.md new file mode 100644 index 0000000000..e8c08a8b15 --- /dev/null +++ b/includes/configure/powershell-wmi-bridge-1.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). + +> [!IMPORTANT] +> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. +> +> To test a PowerShell script, you can: +> 1. [Download the psexec tool](/sysinternals/downloads/psexec) +> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` +> 1. Run the script in the PowerShell session diff --git a/includes/configure/powershell-wmi-bridge-2.md b/includes/configure/powershell-wmi-bridge-2.md new file mode 100644 index 0000000000..28da5f1a76 --- /dev/null +++ b/includes/configure/powershell-wmi-bridge-2.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 09/12/2023 +ms.topic: include +ms.prod: windows-client +--- + +For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). diff --git a/includes/insider-note.md b/includes/insider-note.md index f0018a1d2b..a1160f8047 100644 --- a/includes/insider-note.md +++ b/includes/insider-note.md @@ -7,7 +7,7 @@ ms.date: 01/11/2024 :::row::: :::column span="1"::: -:::image type="content" source="insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: :::column-end::: :::column span="3"::: > [!IMPORTANT] diff --git a/windows/configuration/kiosk/quickstart-kiosk.md b/windows/configuration/kiosk/quickstart-kiosk.md index 2686019689..ad103a71ff 100644 --- a/windows/configuration/kiosk/quickstart-kiosk.md +++ b/windows/configuration/kiosk/quickstart-kiosk.md @@ -14,146 +14,3 @@ The configuration of a single-app kiosk can be done using: - PowerShell - the Settings app -When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed. -The other options allow you to configure a single app kiosk using a local account, or an account defined in the directory. - -Follow the instructions below to configure your devices, selecting the option that best suits your needs. - -#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune) - -[!INCLUDE [intune-custom-settings-1](../../../includes/configure/intune-custom-settings-1.md)] - -| Setting | -|--------| -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`**
  • Data type: **Integer**
  • Value: **1**
    • | - -[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](../../../includes/configure/intune-custom-settings-info.md)] - -#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) - -[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings: - -| Setting | -|--------| -|
  • Path: **`SharedPC/AccountManagement/KioskModeAUMID`**
  • Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**
    • | -|
  • Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`**
  • Value: **Take a Test** (or a string of your choice to display in the sing-in screen)
    • | - -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. - -#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) - -Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). - -> [!IMPORTANT] -> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. -> -> To test a PowerShell script, you can: -> -> 1. [Download the psexec tool](/sysinternals/downloads/psexec) -> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session - -Edit the following sample PowerShell script to: - -- Customize the assessment URL with **$testURL** -- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName** - -```powershell -$testURL = "https://contoso.com/algebra-exam" -$userTileName = "Take a Test" -$namespaceName = "root\cimv2\mdm\dmmap" -$ParentID="./Vendor/MSFT/Policy/Config" - -#Configure SharedPC -$className = "MDM_SharedPC" -$instance = "SharedPC" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.AccountModel = 1 -$cimObject.EnableAccountManager = $true -$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App" -$cimObject.KioskModeUserTileDisplayText = $userTileName -Set-CimInstance -CimInstance $cimObject - -#Configure SecureAssessment -$className = "MDM_SecureAssessment" -$instance = "SecureAssessment" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.LaunchURI= $testURL -Set-CimInstance -CimInstance $cimObject - -#Configure interactive logon -$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02" -$instance = "LocalPoliciesSecurityOptions" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1 -Set-CimInstance -CimInstance $cimObject - -#Configure Windows logon -$className = "MDM_Policy_Config01_WindowsLogon02" -$instance = "WindowsLogon" -$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className -if (-not ($cimObject)) { - $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} -} -$cimObject.HideFastUserSwitching = 1 -Set-CimInstance -CimInstance $cimObject -``` - -#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win) - -To create a local account, and configure Take a Test in kiosk mode using the Settings app: - -1. Sign into the Windows device with an administrator account -1. Open the **Settings** app and select **Accounts** > **Other Users** -1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account** -1. Provide a user name and password for the account that will be used for testing - :::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true"::: -1. Select **Accounts > Access work or school** -1. Select **Create a test-taking account** - :::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true"::: -1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4 - :::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true"::: -1. Under **Enter the tests's web address**, enter the assessment URL -1. Under **Test taking settings** select the options you want to enable during the test - - To enable printing, select **Require printing** - - > [!NOTE] - > Make sure a printer is pre-configured on the Take a Test account if you're enabling this option. - - - To enable teachers to monitor screens, select **Allow screen monitoring** - - To allow text suggestions, select **Allow text suggestions** - -1. To take the test, a student must sign in using the test-taking account selected in step 4 - :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true"::: - - > [!NOTE] - > To sign-in with a local account on a device that is joined to Microsoft Entra ID or Active Directory, you must prefix the username with either `\` or `.\`. - ---- - -## How to use Take a Test in kiosk mode - -Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL. - -## How to exit Take a Test - -To exit the Take a Test app at any time, press Ctrl+Alt+Delete. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal. - -The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test: - -:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true"::: - - - -[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package -[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package diff --git a/windows/configuration/kiosk/quickstart-restricted-experience.md b/windows/configuration/kiosk/quickstart-restricted-experience.md index 22236bff34..9f72b67c94 100644 --- a/windows/configuration/kiosk/quickstart-restricted-experience.md +++ b/windows/configuration/kiosk/quickstart-restricted-experience.md @@ -21,7 +21,7 @@ To complete this quickstart, you need: ## Configure a restricted user experience -[!INCLUDE [tab-intro](../includes/tab-intro.md)] +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) @@ -61,16 +61,7 @@ Value: #### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps) -Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). - -> [!IMPORTANT] -> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. -> -> To test a PowerShell script, you can: -> -> 1. [Download the psexec tool](/sysinternals/downloads/psexec) -> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session +[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)] ```powershell $eventLogFilterHashTable = @{ @@ -158,7 +149,7 @@ if($cimSetError) { Write-Output "Successfully applied Assigned Access configuration" ``` -For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). +[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)] ---