deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add documentation for configuring Assigned Access and Shell Launcher

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-02-28 13:23:16 -05:00
parent bdbec818f5
commit 7127ecf990
5 changed files with 51 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
windows/configuration/assigned-access/assigned-access-configure.md
View File

@ -7,6 +7,38 @@ ms.topic: how-to
# Configure Assigned Access # Configure Assigned Access
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or restricted user experience.
:::row:::
:::column span="1":::
:::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
:::column-end:::
:::column span="3":::
#### Kiosk experience
A single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it will automatically restart. Practical examples include:
- Digital signs
- Public web browsing kiosks
This experience is sometimes referred to as *single-app kiosk*.
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
Users can execute a defined list of applications, with a custom and locked down Start menu and Taskbar. Practical examples include:
- Frontline worker devices
- Student devices
- Lab devices
:::column-end:::
:::row-end:::
Assigned Access profiles only apply to non-admin accounts. When an administrator signs in, the Assigned Access restrictions don't apply.
## Configure a kiosk in Microsoft Intune ## Configure a kiosk in Microsoft Intune
To configure a kiosk in Microsoft Intune, see: To configure a kiosk in Microsoft Intune, see:

2
windows/configuration/assigned-access/includes/shell-launcher-quickstart-intune.md
View File

@ -10,4 +10,4 @@ POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Shell Launcher", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "ShellLauncher", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/ShellLauncher", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<ShellLauncherConfiguration\nxmlns=\"http://schemas.microsoft.com/ShellLauncher/2018/Configuration\"\nxmlns:V2=\"http://schemas.microsoft.com/ShellLauncher/2019/Configuration\">\n <Profiles>\n <DefaultProfile>\n <Shell Shell=\"%SystemRoot%\\explorer.exe\"/>\n </DefaultProfile>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\">\n <Shell Shell=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2\" V2:AppType=\"Desktop\" V2:AllAppsFullScreen=\"true\">\n <ReturnCodeActions>\n <ReturnCodeAction ReturnCode=\"0\" Action=\"RestartShell\"/>\n <ReturnCodeAction ReturnCode=\"-1\" Action=\"RestartDevice\"/>\n <ReturnCodeAction ReturnCode=\"255\" Action=\"ShutdownDevice\"/>\n </ReturnCodeActions>\n <DefaultAction Action=\"RestartShell\"/>\n </Shell>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount/>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\"/>\n </Config>\n </Configs>\n</ShellLauncherConfiguration>" } ], } { "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Kiosk - Shell Launcher", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "ShellLauncher", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/ShellLauncher", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<ShellLauncherConfiguration\nxmlns=\"http://schemas.microsoft.com/ShellLauncher/2018/Configuration\"\nxmlns:V2=\"http://schemas.microsoft.com/ShellLauncher/2019/Configuration\">\n <Profiles>\n <DefaultProfile>\n <Shell Shell=\"%SystemRoot%\\explorer.exe\"/>\n </DefaultProfile>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\">\n <Shell Shell=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2\" V2:AppType=\"Desktop\" V2:AllAppsFullScreen=\"true\">\n <ReturnCodeActions>\n <ReturnCodeAction ReturnCode=\"0\" Action=\"RestartShell\"/>\n <ReturnCodeAction ReturnCode=\"-1\" Action=\"RestartDevice\"/>\n <ReturnCodeAction ReturnCode=\"255\" Action=\"ShutdownDevice\"/>\n </ReturnCodeActions>\n <DefaultAction Action=\"RestartShell\"/>\n </Shell>\n </Profile>\n </Profiles>\n <Configs>\n <Config>\n <AutoLogonAccount/>\n <Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F78}\"/>\n </Config>\n </Configs>\n</ShellLauncherConfiguration>" } ], }
``` ```

4
windows/configuration/assigned-access/includes/shell-launcher-quickstart-ps.md
View File

@ -40,6 +40,4 @@ $className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) $obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj $obj = Set-CimInstance -CimInstance $obj
```
```

14
windows/configuration/assigned-access/index.md
View File

@ -18,6 +18,15 @@ Organization may want to set up special purpose devices, such as a device in the
:::column-end::: :::column-end:::
:::row-end::: :::row-end:::
:::row:::
:::column span="1":::
:::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
:::column-end:::
:::column span="3":::
#### Restricted user experience
:::column-end:::
:::row-end:::
This experience runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart. This experience is sometimes referred to as *single-app kiosk*. This experience runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. If the kiosk app is closed, it will automatically restart. This experience is sometimes referred to as *single-app kiosk*.
Windows offers two different features to configure a kiosk experience: Windows offers two different features to configure a kiosk experience:
@ -40,9 +49,8 @@ To configure a restricted user experience you use a feature called **Assgined Ac
## Choose the right experience ## Choose the right experience
Carefully evaluate all applications that users should use. If applications require user authentication, don't use a local or generic
user account. Rather, target the group of users within the Assigned Access configuration file.
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device. A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device.

7
windows/configuration/assigned-access/shell-launcher-configure.md
View File

@ -7,7 +7,12 @@ ms.topic: how-to
# Configure devices with Shell Launcher # Configure devices with Shell Launcher
Shell Launcher is an Assigned Access configuration that replaces the default Windows Explorer shell (`explorer.exe`) with the `CustomShellHost.exe` application. CustomShellHost can launch a Windows desktop application or a UWP app. Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`explorer.exe`) with the `CustomShellHost.exe` application. CustomShellHost can launch a Windows desktop application or a UWP app.
Practical examples include:
- Public kiosks
- ATMs
Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand. Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.