diff --git a/.github/workflows/AutoLabelMsftContributor.yml b/.github/workflows/AutoLabelMsftContributor.yml
index 66992cfeef..c41825acc8 100644
--- a/.github/workflows/AutoLabelMsftContributor.yml
+++ b/.github/workflows/AutoLabelMsftContributor.yml
@@ -31,10 +31,5 @@ jobs:
PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
- TeamReadAccessToken: ${{ secrets.ORG_READTEAMS_TOKEN }}
-
-
-
-
-
-
+ ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+ PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json
index e07084c0ec..b0c6be0d58 100644
--- a/.openpublishing.redirection.windows-configuration.json
+++ b/.openpublishing.redirection.windows-configuration.json
@@ -1034,6 +1034,56 @@
"source_path": "windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md",
"redirect_url": "/microsoft-desktop-optimization-pack/ue-v/uev-working-with-custom-templates-and-the-uev-generator",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/assigned-access/overview.md",
+ "redirect_url": "/windows/configuration/assigned-access/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/assigned-access/shell-launcher/configuration-file.md",
+ "redirect_url": "/windows/configuration/shell-launcher/configuration-file",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/assigned-access/shell-launcher/index.md",
+ "redirect_url": "/windows/configuration/shell-launcher/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md",
+ "redirect_url": "/windows/configuration/shell-launcher/quickstart-kiosk",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/assigned-access/shell-launcher/xsd.md",
+ "redirect_url": "/windows/configuration/shell-launcher/xsd",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/shell-launcher/browser-support.md",
+ "redirect_url": "/windows/configuration/kiosk/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/shell-launcher/kiosk-mode.md",
+ "redirect_url": "/windows/configuration/kiosk/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/shell-launcher/multi-app-kiosk.md",
+ "redirect_url": "/windows/configuration/kiosk/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/shell-launcher/single-app-kiosk.md",
+ "redirect_url": "/windows/configuration/kiosk/index",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/shell-launcher/wedl-assignedaccess.md",
+ "redirect_url": "/windows/configuration/assigned-access/wedl-assignedaccess",
+ "redirect_document_id": false
}
]
}
diff --git a/includes/licensing/assigned-access.md b/includes/licensing/assigned-access.md
index 30348f5e9d..be81753ec1 100644
--- a/includes/licensing/assigned-access.md
+++ b/includes/licensing/assigned-access.md
@@ -5,18 +5,11 @@ ms.date: 09/18/2023
ms.topic: include
---
-
+### Windows edition requirements
-## Windows edition requirements
+The following list contains the Windows editions that support Assigned Access:
-The following table lists the Windows editions that support Assigned Access:
-
-|Edition|Assigned Access support|
-|:---|:---:|
-|Education|✅|
-|Enterprise |✅|
-|Enterprise LTSC|✅|
-|IoT Enterprise | ✅|
-|IoT Enterprise LTSC|✅|
-|Pro Education|✅|
-|Pro|✅|
+✅ Pro\
+✅ Enterprise / Enterprise LTSC\
+✅ Education\
+✅ IoT Enterprise / IoT Enterprise LTSC
diff --git a/includes/licensing/shell-launcher.md b/includes/licensing/shell-launcher.md
index 07418aeb82..388f256f16 100644
--- a/includes/licensing/shell-launcher.md
+++ b/includes/licensing/shell-launcher.md
@@ -5,19 +5,10 @@ ms.date: 09/18/2023
ms.topic: include
---
-
+### Windows edition requirements
-## Windows edition requirements
+The following list contains the Windows editions that support Shell Launcher:
-The following table lists the Windows editions that support Shell Launcher:
-
-|Edition|Shell Launcher support|
-|:---|:---:|
-|Education|✅|
-|Enterprise |✅|
-|Enterprise LTSC|✅|
-|IoT Enterprise | ✅|
-|IoT Enterprise LTSC|✅|
-|Pro Education|❌|
-|Pro|❌|
-|Home|❌|
+✅ Enterprise / Enterprise LTSC\
+✅ Education\
+✅ IoT Enterprise / IoT Enterprise LTSC
diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md
index 15fb10a733..ae9ebb8fad 100644
--- a/windows/configuration/assigned-access/configuration-file.md
+++ b/windows/configuration/assigned-access/configuration-file.md
@@ -3,7 +3,7 @@ title: Create an Assigned Access configuration file
description: Learn how to create an XML file to configure Assigned Access.
ms.topic: how-to
zone_pivot_groups: windows-versions-11-10
-ms.date: 10/31/2024
+ms.date: 3/7/2025
appliesto:
---
@@ -150,16 +150,24 @@ Example:
+
+
```
+> [!IMPORTANT]
+> If you pins elements to the Start menu with Microsoft Edge secondary tiles, include the following apps in the allowed apps list:
+>
+> - ``
+> - ``
+
::: zone pivot="windows-10"
### File Explorer restrictions
-In a restricted user experience (`AllAppList`), folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
+In a restricted user experience, folder browsing is locked down by default. You can explicitly allow access to known folders by including the `FileExplorerNamespaceRestrictions` node.
You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@@ -288,19 +296,22 @@ With the exported Start menu configuration, use the `v5:StartPins` element and a
```
-Example with some apps pinned:
+Example with some apps and a Microsoft Edge pinned site:
+``` xml
+```
::: zone-end
diff --git a/windows/configuration/assigned-access/configure-multi-app-kiosk.md b/windows/configuration/assigned-access/configure-multi-app-kiosk.md
new file mode 100644
index 0000000000..b79d7f9e79
--- /dev/null
+++ b/windows/configuration/assigned-access/configure-multi-app-kiosk.md
@@ -0,0 +1,96 @@
+---
+title: Configure a Multi-App Kiosk With Assigned Access
+description: Learn how to configure a multi-app kiosk with Assigned Access.
+ms.date: 3/7/2025
+ms.topic: overview
+---
+
+# Configure a restricted user experience (multi-app kiosk) with Assigned Access
+
+An Assigned Access restricted user experience runs one or more apps from the desktop. People using the kiosk have a customized Start menu that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for shared devices.
+
+To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
+
+- A Mobile Device Management (MDM) solution, like Microsoft Intune
+- Provisioning packages
+- PowerShell, with the MDM Bridge WMI Provider
+
+To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
+
+- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
+- **Value:** content of the XML configuration file
+
+Assign the policy to a group that contains as members the devices that you want to configure.
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
+
+- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
+- **Value:** content of the XML configuration file
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+
+```PowerShell
+$assignedAccessConfiguration = @"
+
+# content of the XML configuration file
+
+"@
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+if($cimSetError) {
+ Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
+ Write-Error -ErrorRecord $cimSetError[0]
+
+ $timeout = New-TimeSpan -Seconds 30
+ $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ do{
+ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
+ } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
+
+ if($events.Count) {
+ $events | ForEach-Object {
+ Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
+ }
+ } else {
+ Write-Warning "Timed-out attempting to retrieve event logs..."
+ }
+
+ Exit 1
+}
+
+Write-Output "Successfully applied Assigned Access configuration"
+```
+
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+
+#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
+
+This option isn't available using Settings.
+
+---
+
+> [!TIP]
+> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/configure-single-app-kiosk.md
similarity index 61%
rename from windows/configuration/assigned-access/overview.md
rename to windows/configuration/assigned-access/configure-single-app-kiosk.md
index e271659707..e45c0e6815 100644
--- a/windows/configuration/assigned-access/overview.md
+++ b/windows/configuration/assigned-access/configure-single-app-kiosk.md
@@ -1,11 +1,11 @@
---
-title: What is Assigned Access?
-description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
-ms.date: 10/31/2024
+title: Configure a Single-App Kiosk With Assigned Access
+description: Learn how to configure a single-app kiosk with Assigned Access.
+ms.date: 3/7/2025
ms.topic: overview
---
-# What is Assigned Access?
+# Configure a single-app kiosk with Assigned Access
Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
@@ -188,128 +188,7 @@ When the device isn't joined to an Active Directory domain or Microsoft Entra ID
> [!TIP]
> For practical examples, see the [Quickstart: Configure a kiosk with Assigned Access](quickstart-kiosk.md).
-## Configure a restricted user experience
-
-To configure a restricted user experience with Assigned Access, you must create an XML configuration file with the settings for the desired experience. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
-
-- A Mobile Device Management (MDM) solution, like Microsoft Intune
-- Provisioning packages
-- PowerShell, with the MDM Bridge WMI Provider
-
-To learn how to configure the Assigned Access XML file, see [Create an Assigned Access configuration file](configuration-file.md).
-
-[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
-
-#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
-
-You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
-
-- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
-- **Value:** content of the XML configuration file
-
-Assign the policy to a group that contains as members the devices that you want to configure.
-
-#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-
-[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
-
-- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
-- **Value:** content of the XML configuration file
-
-[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
-
-#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
-
-[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
-
-```PowerShell
-$assignedAccessConfiguration = @"
-
-# content of the XML configuration file
-
-"@
-
-$namespaceName="root\cimv2\mdm\dmmap"
-$className="MDM_AssignedAccess"
-$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
-$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
-if($cimSetError) {
- Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
- Write-Error -ErrorRecord $cimSetError[0]
-
- $timeout = New-TimeSpan -Seconds 30
- $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- do{
- $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
- } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
-
- if($events.Count) {
- $events | ForEach-Object {
- Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
- }
- } else {
- Write-Warning "Timed-out attempting to retrieve event logs..."
- }
-
- Exit 1
-}
-
-Write-Output "Successfully applied Assigned Access configuration"
-```
-
-[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
-
-#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
-
-This option isn't available using Settings.
-
----
-
-> [!TIP]
-> For practical examples, see the [Quickstart: Configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
-
-## User experience
-
-To validate the kiosk or restricted user experience, sign in with the user account you specified in the configuration file.
-
-The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
-
-> [!NOTE]
-> Starting in Windows 11, a restricted user experience supports the use of multiple monitors.
-
-### Autotrigger touch keyboard
-
-The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
-
-> [!TIP]
-> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard is not triggered on VMs.
-
-### Sign out of assigned access
-
-By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen timeout, the kiosk app relaunches. The default timeout is 30 seconds, but you can change the timeout with the registry key:
-
-`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
-
-To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
-
-> [!NOTE]
-> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
-
-The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
-
-## Remove Assigned Access
-
-Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.
-
-## Next steps
-
-> [!div class="nextstepaction"]
-> Review the recommendations before you deploy Assigned Access:
->
-> [Assigned Access recommendations](recommendations.md)
-
-
+[!INCLUDE [user-experience](includes/user-experience.md)]
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
diff --git a/windows/configuration/assigned-access/examples.md b/windows/configuration/assigned-access/examples.md
index 0970cd2d90..7b189bdb01 100644
--- a/windows/configuration/assigned-access/examples.md
+++ b/windows/configuration/assigned-access/examples.md
@@ -1,7 +1,7 @@
---
-title: Assigned Access examples
+title: Assigned Access Examples
description: Practical examples of XML files to configure Assigned Access.
-ms.date: 10/31/2024
+ms.date: 3/7/2025
ms.topic: reference
zone_pivot_groups: windows-versions-11-10
appliesto:
diff --git a/windows/configuration/assigned-access/images/restricted-user-experience-example.png b/windows/configuration/assigned-access/images/restricted-user-experience-example.png
deleted file mode 100644
index e2863c0f06..0000000000
Binary files a/windows/configuration/assigned-access/images/restricted-user-experience-example.png and /dev/null differ
diff --git a/windows/configuration/assigned-access/includes/example-global-profile.md b/windows/configuration/assigned-access/includes/example-global-profile.md
index a818640cbd..bb00d4a162 100644
--- a/windows/configuration/assigned-access/includes/example-global-profile.md
+++ b/windows/configuration/assigned-access/includes/example-global-profile.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/example-kiosk-uwp.md b/windows/configuration/assigned-access/includes/example-kiosk-uwp.md
index 69e5a1ac70..e6202a80fb 100644
--- a/windows/configuration/assigned-access/includes/example-kiosk-uwp.md
+++ b/windows/configuration/assigned-access/includes/example-kiosk-uwp.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/example-restricted-experience.md b/windows/configuration/assigned-access/includes/example-restricted-experience.md
index e8653f5e2f..1bcf0fe640 100644
--- a/windows/configuration/assigned-access/includes/example-restricted-experience.md
+++ b/windows/configuration/assigned-access/includes/example-restricted-experience.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/example-two-profiles.md b/windows/configuration/assigned-access/includes/example-two-profiles.md
index 42bad92801..6c641d1609 100644
--- a/windows/configuration/assigned-access/includes/example-two-profiles.md
+++ b/windows/configuration/assigned-access/includes/example-two-profiles.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/example-usergroup.md b/windows/configuration/assigned-access/includes/example-usergroup.md
index 7d69b07f0b..e2b6036391 100644
--- a/windows/configuration/assigned-access/includes/example-usergroup.md
+++ b/windows/configuration/assigned-access/includes/example-usergroup.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md
index 8fb14f8ac6..135168d757 100644
--- a/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md
+++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-intune.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
index 4f5ce43c2e..be008cf787 100644
--- a/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
+++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md b/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md
index 93a0607346..58b9223a5a 100644
--- a/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md
+++ b/windows/configuration/assigned-access/includes/quickstart-kiosk-xml.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md
index 4238a97dad..cf233f5d67 100644
--- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md
+++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
index 94bb914c0b..0420fed316 100644
--- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
+++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md
index 52730d3c75..ad3cdd99d5 100644
--- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md
+++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/05/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/includes/user-experience.md b/windows/configuration/assigned-access/includes/user-experience.md
new file mode 100644
index 0000000000..d043d54484
--- /dev/null
+++ b/windows/configuration/assigned-access/includes/user-experience.md
@@ -0,0 +1,78 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 3/7/2025
+ms.topic: include
+---
+
+## User experience
+
+To validate the kiosk configuration, sign in with the user account you specified in the configuration file.
+
+The Assigned Access configuration takes effect the next time the targeted user signs in. If that user account is signed in when you apply the configuration, sign out and sign back in to validate the experience.
+
+### Autotrigger touch keyboard
+
+The touch keyboard is automatically triggered when there's an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.
+
+> [!TIP]
+> The touch keyboard is triggered only when tapping a textbox. Mouse clicks don't trigger the touch keyboard. If you're testing this feature, use a physical device instead of a virtual machine (VM), as the touch keyboard isn't triggered on VMs.
+
+### Sign out of assigned access
+
+By default, to exit the kiosk experience, press Ctrl + Alt + Del. The kiosk app exits automatically. If you sign in again as the Assigned Access account, or wait for the sign in screen time-out, the kiosk app relaunches. The default time-out is 30 seconds, but you can change the time-out with the registry key:
+
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
+
+To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+> [!NOTE]
+> `IdleTimeOut` doesn't apply to the Microsoft Edge kiosk mode.
+
+The Breakout Sequence of Ctrl + Alt + Del is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is CTRL + ALT + A, where CTRL + ALT are the modifiers, and A is the key value. To learn more, see [Create an Assigned Access configuration XML file](../configuration-file.md).
+
+## Remove Assigned Access
+
+Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, in a multi-app kiosk scenario the Start menu configuration is maintained.
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+To remove the Assigned Access configuration, unassign or delete the policy that contains the configuration.
+
+#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To remove the Assigned Access configuration, uninstall the provisioning package that contains the configuration.
+
+#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+```PowerShell
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = $null
+Set-CimInstance -CimInstance $obj
+```
+
+#### [:::image type="icon" source="../../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
+
+1. Go to **Settings > Accounts > Other Users**, or use the following shortcut:
+
+ > [!div class="nextstepaction"]
+ >
+ > [Other Users](ms-settings:otherusers)
+
+1. Select **Kiosk**
+1. Under **Kiosk info**, expand the application used for the kiosk experience
+1. Select **Remove kiosk**
+
+> [!NOTE]
+> This option isn't available using Settings if you configured a restricted user experience.
+
+---
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Review the recommendations before you deploy Assigned Access:
+>
+> [Assigned Access recommendations](../recommendations.md)
diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md
index dc51e3a588..58bc4e77a3 100644
--- a/windows/configuration/assigned-access/index.md
+++ b/windows/configuration/assigned-access/index.md
@@ -1,74 +1,47 @@
---
-title: Windows kiosks and restricted user experiences
-description: Learn about the options available in Windows to configure kiosks and restricted user experiences.
+title: Assigned Access Overview
+description: Learn how to configure a Windows kiosk for single-app and multi-app scenarios with Assigned Access.
+ms.date: 3/7/2025
ms.topic: overview
-ms.date: 10/31/2024
---
-# Windows kiosks and restricted user experiences
+# Assigned Access overview
-Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
+Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience.
-- Cost-effective customer service: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
-- Reduced wait times: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
-- Consistent brand experience: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
-- Customization and flexibility: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
+When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include:
-Windows offers two different options for public or specialized use:
+- Public browsing
+- Interactive digital signage
-:::row:::
- :::column span="1":::
- :::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
- :::column-end:::
- :::column span="3":::
- #### Kiosk experience
- :::column-end:::
-:::row-end:::
+When you configure a **restricted user experience**, users can only execute a defined list of applications, with a tailored Start menu and Taskbar. Different policy settings and AppLocker rules are enforced, creating a locked down experience. The users can access a familiar Windows desktop, while limiting their access, reducing distractions, and potential for inadvertent uses. Ideal for shared devices, you can create different configurations for different users. Practical examples include:
-This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
+- Frontline worker devices
+- Student devices
+- Lab devices
-Windows offers two different features to configure a kiosk experience:
+> [!NOTE]
+> When you configure a restricted user experience, different policy settings are applied to the device. Some policy settings apply to standard users only, and some to administrator accounts too. For more information, see [Assigned Access policy settings](policy-settings.md).
-- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
-- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The specified application replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in
+## Requirements
-:::row:::
- :::column span="1":::
- :::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
- :::column-end:::
- :::column span="3":::
- #### Restricted user experience
- :::column-end:::
-:::row-end:::
+Here are the requirements for Assigned Access:
-This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
+- To use a kiosk experience, [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be enabled
+- To use a kiosk experience, you must sign in from the console. The kiosk experience isn't supported over a remote desktop connection
-:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
-
-To configure a restricted user experience, you use the **Assigned Access** feature.
-
-## Choose the right experience
-
-When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
-
-| | Question |
-|--|--|
-| **🔲** | *How many apps?* The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
-| **🔲** | *Desktop experience or custom?* If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
-| **🔲** | *In single-app scenario, which type of app will your kiosk run?* If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
-| **🔲** | *Which edition of Windows client will the kiosk run?"* **Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
+[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Next steps
-In the next sections, you can learn more about the options available to configure kiosks and restricted user experiences:
+Learn how to configure Assigned Access:
-- [Assigned Access](overview.md)
-- [Shell Launcher](shell-launcher/index.md)
+- [Configure a single-app kiosk experience with Assigned Access](configure-single-app-kiosk.md)
+- [Configure a restricted user experience (multi-app kiosk) with Assigned Access](configure-multi-app-kiosk.md)
### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
-If you're ready to try out the options available to configure kiosks and restricted user experiences, check out the following quickstarts:
+If you want to quickly test Assigned Access, check out the following quickstarts:
-- [Quickstart: configure a kiosk with Assigned Access](quickstart-kiosk.md)
-- [Quickstart: configure a kiosk experience with Shell Launcher](shell-launcher/quickstart-kiosk.md)
-- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
\ No newline at end of file
+- [Quickstart: configure a single-app kiosk with Assigned Access](quickstart-kiosk.md)
+- [Quickstart: configure a restricted user experience with Assigned Access](quickstart-restricted-user-experience.md)
diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md
index 41072ae848..9a85674f5d 100644
--- a/windows/configuration/assigned-access/policy-settings.md
+++ b/windows/configuration/assigned-access/policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Assigned Access policy settings
+title: Assigned Access Policy Settings
description: Learn about the policy settings enforced on a device configured with Assigned Access.
ms.topic: reference
ms.date: 02/25/2025
diff --git a/windows/configuration/assigned-access/quickstart-kiosk.md b/windows/configuration/assigned-access/quickstart-kiosk.md
index fe38439c87..e97890de44 100644
--- a/windows/configuration/assigned-access/quickstart-kiosk.md
+++ b/windows/configuration/assigned-access/quickstart-kiosk.md
@@ -1,13 +1,13 @@
---
-title: "Quickstart: configure a kiosk experience with Assigned Access"
-description: Learn how to configure a kiosk experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
+title: "Quickstart: Configure a Single-App Kiosk With Assigned Access"
+description: Learn how to configure a single-app kiosk with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 10/31/2024
+ms.date: 3/7/2025
---
-# Quickstart: configure a kiosk with Assigned Access
+# Quickstart: configure a single-app kiosk with Assigned Access
-This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
+This quickstart provides practical examples of how to configure a single-app kiosk on Windows with Assigned Access. The examples describe the steps using the Settings app, a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can change the app used, the URL specified when opening Microsoft Edge, or change the name of the user that automatically signs in to Windows.
@@ -62,8 +62,6 @@ Assign the policy to a group that contains as members the devices that you want
[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
-
-
#### [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings)
Here are the steps to configure a kiosk using the Settings app:
@@ -93,12 +91,28 @@ Here are the steps to configure a kiosk using the Settings app:
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
+## Remove Assigned Access
+
+Once you no longer need the kiosk configuration, you can remove it.
+
+Here's a PowerShell example to remove the Assigned Access configuration:
+
+```powershell
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = $null
+Set-CimInstance -CimInstance $obj
+```
+
+Reboot the device to apply the changes.
+
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
-> [Assigned Access overview](overview.md)
+> [Assigned Access overview](index.md)
[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/configuration/assigned-access/quickstart-restricted-user-experience.md b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
index 75d9bb74c1..25e9c69ec6 100644
--- a/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
+++ b/windows/configuration/assigned-access/quickstart-restricted-user-experience.md
@@ -1,15 +1,15 @@
---
-title: "Quickstart: configure a restricted user experience with Assigned Access"
+title: "Quickstart: Configure a Restricted User Experience With Assigned Access"
description: Learn how to configure a restricted user experience with Assigned Access using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 10/31/2024
+ms.date: 3/7/2025
appliesto:
zone_pivot_groups: windows-versions-11-10
---
# Quickstart: configure a restricted user experience with Assigned Access
-This quickstart provides practical examples of how to configure a *restricted user experience* on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
+This quickstart provides practical examples of how to configure a restricted user experience on Windows. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
@@ -80,12 +80,28 @@ After the settings are applied, reboot the device. A local user account is autom
::: zone-end
+## Remove Assigned Access
+
+Once you no longer need the restricted user experience, you can remove it. Deleting the Assigned Access configuration removes the policy settings associated with the users, but it can't revert all the changes. For example, the Start menu configuration is maintained.
+
+Here's a PowerShell example to remove the configuration:
+
+```powershell
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = $null
+Set-CimInstance -CimInstance $obj
+```
+
+Reboot the device to apply the changes.
+
## Next steps
> [!div class="nextstepaction"]
> Learn more about Assigned Access and how to configure it:
>
-> [Assigned Access overview](overview.md)
+> [Assigned Access overview](index.md)
diff --git a/windows/configuration/assigned-access/recommendations.md b/windows/configuration/assigned-access/recommendations.md
index 1aeb40f5c9..c98af9f486 100644
--- a/windows/configuration/assigned-access/recommendations.md
+++ b/windows/configuration/assigned-access/recommendations.md
@@ -1,8 +1,8 @@
---
-title: Assigned Access recommendations
+title: Assigned Access Recommendations
description: Learn about the recommended kiosk and restricted user experience configuration options.
ms.topic: best-practice
-ms.date: 10/31/2024
+ms.date: 3/7/2025
---
# Assigned Access recommendations
@@ -20,7 +20,7 @@ Consider enabling *automatic sign-in* for your kiosk device. When the device res
You can configure the Assigned Access and Shell Launcher XML files with an account to sign-in automatically. For more information, review the articles:
- [Create an Assigned Access configuration XML file](configuration-file.md)
-- [Create a Shell Launcher configuration file](shell-launcher/configuration-file.md)
+- [Create a Shell Launcher configuration file](../shell-launcher/configuration-file.md)
Alternatively, you can edit the Registry to have an account sign in automatically:
diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md
deleted file mode 100644
index 5ffc4c6801..0000000000
--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-title: What is Shell Launcher?
-description: Learn how to configure devices with Shell Launcher.
-ms.date: 10/31/2024
-ms.topic: overview
----
-
-# What is Shell Launcher?
-
-Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app.
-
-Practical examples include:
-
-- Public browsing
-- Interactive digital signage
-- ATMs
-
-Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.
-
-With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
-
-- Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune
-- Group policy (GPO)
-- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
-
-Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Windows kiosks and restricted user experiences](../index.md).
-
-[!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)]
-
-## Limitations
-
-Here are some limitations to consider when using Shell Launcher:
-
-- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
-- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
-
-## Configure a device with Shell Launcher
-
-The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
-
-- A Mobile Device Management (MDM) solution, like Microsoft Intune
-- Provisioning packages
-- The MDM Bridge WMI Provider
-
-To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
-
-[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
-
-You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
-
-- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
-- **Value:** content of the XML configuration file
-
-Assign the policy to a group that contains as members the devices that you want to configure.
-
-#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-
-[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
-
-- **Path:** `SMISettings/ShellLauncher`
-- **Value:** depends on specific settings
-
-[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
-
-#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
-
-[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
-
-```PowerShell
-$shellLauncherConfiguration = @"
-
-# content of the XML configuration file
-
-"@
-
-$namespaceName="root\cimv2\mdm\dmmap"
-$className="MDM_AssignedAccess"
-$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
-$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
-if($cimSetError) {
- Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
- Write-Error -ErrorRecord $cimSetError[0]
-
- $timeout = New-TimeSpan -Seconds 30
- $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
- do{
- $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
- } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
-
- if($events.Count) {
- $events | ForEach-Object {
- Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
- }
- } else {
- Write-Warning "Timed-out attempting to retrieve event logs..."
- }
-
- Exit 1
-}
-
-Write-Output "Successfully applied Shell Launcher configuration"
-```
-
-[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
-
----
-
-> [!TIP]
-> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
-
-## User experience
-
-After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
-
-Depending on your configuration, you can have a user to automatically sign in to the device.
-
-## Next steps
-
-> [!div class="nextstepaction"]
-> Learn how to configure the Shell Launcher XML file:
->
-> [Create a Shell Launcher configuration file](configuration-file.md)
-
-
-
-[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
-[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
diff --git a/windows/configuration/assigned-access/shell-launcher/toc.yml b/windows/configuration/assigned-access/shell-launcher/toc.yml
deleted file mode 100644
index 047a8acdb9..0000000000
--- a/windows/configuration/assigned-access/shell-launcher/toc.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-items:
-- name: What is Shell Launcher?
- href: index.md
-- name: "Quickstart: Configure a kiosk with Shell Launcher"
- href: quickstart-kiosk.md
-- name: Create a Shell Launcher configuration file
- href: configuration-file.md
-- name: Shell Launcher XSD
- href: xsd.md
diff --git a/windows/configuration/assigned-access/toc.yml b/windows/configuration/assigned-access/toc.yml
index a80a14dd6a..79538c7896 100644
--- a/windows/configuration/assigned-access/toc.yml
+++ b/windows/configuration/assigned-access/toc.yml
@@ -1,33 +1,32 @@
items:
- name: Overview
href: index.md
-- name: Assigned Access
- items:
- - name: What is Assigned Access?
- href: overview.md
- - name: Quickstarts
- items:
- - name: Configure a kiosk with Assigned Access
- href: quickstart-kiosk.md
- - name: Configure a restricted user experience with Assigned Access
- href: quickstart-restricted-user-experience.md
- - name: Create an Assigned Access configuration file
- href: configuration-file.md
- - name: Reference
- items:
- - name: Assigned Access XSD
- href: xsd.md
- - name: Assigned Access XML examples
- href: examples.md
- - name: Assigned Access policy settings
- href: policy-settings.md
-- name: Shell Launcher
- href: shell-launcher/toc.yml
+- name: Configure a single-app kiosk
+ href: configure-single-app-kiosk.md
+- name: Configure a multi-app kiosk
+ href: configure-multi-app-kiosk.md
+ displayName: Configure a restricted user experience
- name: Recommendations
href: recommendations.md
-- name: Assigned Access CSP 🔗
- href: /windows/client-management/mdm/assignedaccess-csp
-- name: Troubleshoot 🔗
- href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
-- name: Configure Microsoft Edge kiosk mode 🔗
- href: /deployedge/microsoft-edge-configure-kiosk-mode
\ No newline at end of file
+- name: Create a configuration file
+ href: configuration-file.md
+- name: Quickstarts
+ items:
+ - name: Configure a single-app kiosk
+ href: quickstart-kiosk.md
+ displayName: Configure a single-app kiosk quickstart
+ - name: Configure a multi-app kiosk
+ href: quickstart-restricted-user-experience.md
+ displayName: Configure a restricted user experience quickstart
+- name: Reference
+ items:
+ - name: Assigned Access XSD
+ href: xsd.md
+ - name: Assigned Access XML examples
+ href: examples.md
+ - name: Assigned Access policy settings
+ href: policy-settings.md
+ - name: WMI Class WEDL_AssignedAccess
+ href: wedl-assignedaccess.md
+ - name: Assigned Access CSP 🔗
+ href: /windows/client-management/mdm/assignedaccess-csp
diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/assigned-access/wedl-assignedaccess.md
similarity index 97%
rename from windows/configuration/shell-launcher/wedl-assignedaccess.md
rename to windows/configuration/assigned-access/wedl-assignedaccess.md
index acdd00a9df..9ae0d36c01 100644
--- a/windows/configuration/shell-launcher/wedl-assignedaccess.md
+++ b/windows/configuration/assigned-access/wedl-assignedaccess.md
@@ -9,11 +9,11 @@ ms.topic: reference
This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
-[!INCLUDE [shell-launcher](../../../includes/licensing/assigned-access.md)]
+[!INCLUDE [assigned-access](../../../includes/licensing/assigned-access.md)]
## Syntax
-```powershell
+```mof
class WEDL_AssignedAccess {
[Key] string UserSID;
[Read, Write] string AppUserModelId;
diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md
index 36c51137aa..4e9f941938 100644
--- a/windows/configuration/assigned-access/xsd.md
+++ b/windows/configuration/assigned-access/xsd.md
@@ -2,7 +2,7 @@
title: Assigned Access XML Schema Definition (XSD)
description: Assigned Access XSD reference article.
ms.topic: reference
-ms.date: 10/31/2024
+ms.date: 3/7/2025
---
# Assigned Access XML Schema Definition (XSD)
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 22924a43cc..954b3313fb 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -84,14 +84,16 @@
"custom-logon//**/*.yml": "terrywarwick",
"keyboard-filter//**/*.md": "terrywarwick",
"keyboard-filter//**/*.yml": "terrywarwick",
+ "kiosk//**/*.md": "paolomatarazzo",
+ "kiosk//**/*.yml": "paolomatarazzo",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
- "shell-launcher//**/*.md": "terrywarwick",
- "shell-launcher//**/*.yml": "terrywarwick",
+ "shell-launcher//**/*.md": "paolomatarazzo",
+ "shell-launcher//**/*.yml": "paolomatarazzo",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
@@ -119,13 +121,15 @@
"lock-screen//**/*.md": "paoloma",
"keyboard-filter//**/*.md": "twarwick",
"keyboard-filter//**/*.yml": "twarwick",
+ "kiosk//**/*.md": "paoloma",
+ "kiosk//**/*.yml": "paoloma",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
- "shell-launcher//**/*.md": "twarwick",
- "shell-launcher//**/*.yml": "twarwick",
+ "shell-launcher//**/*.md": "paoloma",
+ "shell-launcher//**/*.yml": "paoloma",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",
diff --git a/windows/configuration/images/icons/dev.svg b/windows/configuration/images/icons/dev.svg
new file mode 100644
index 0000000000..26c4e8ac54
--- /dev/null
+++ b/windows/configuration/images/icons/dev.svg
@@ -0,0 +1,10 @@
+
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index a1e1606862..c84e3b6be5 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -38,20 +38,18 @@ landingContent:
linkLists:
- linkListType: concept
links:
+ - text: Kiosk options in Windows
+ url: kiosk/index.md
- text: What is Assigned Access?
- url: assigned-access/overview.md
- - text: What is Shell Launcher?
- url: assigned-access/shell-launcher/index.md
- - linkListType: how-to-guide
- links:
- - text: Configure kiosks and restricted user experiences
url: assigned-access/index.md
+ - text: What is Shell Launcher?
+ url: shell-launcher/index.md
- linkListType: quickstart
links:
- text: Configure a kiosk with Assigned Access
url: assigned-access/quickstart-kiosk.md
- text: Configure a kiosk with Shell Launcher
- url: assigned-access/shell-launcher/quickstart-kiosk.md
+ url: shell-launcher/quickstart-kiosk.md
- text: Configure a restricted user experience with Assigned Access
url: assigned-access/quickstart-restricted-user-experience.md
- linkListType: reference
@@ -59,7 +57,7 @@ landingContent:
- text: Assigned Access XML Schema Definition (XSD)
url: assigned-access/xsd.md
- text: Shell Launcher XML Schema Definition (XSD)
- url: assigned-access/shell-launcher/xsd.md
+ url: shell-launcher/xsd.md
- title: Configure shared devices
linkLists:
diff --git a/windows/configuration/keyboard-filter/toc.yml b/windows/configuration/keyboard-filter/toc.yml
index 0a08af732d..a8dfbab30f 100644
--- a/windows/configuration/keyboard-filter/toc.yml
+++ b/windows/configuration/keyboard-filter/toc.yml
@@ -1,53 +1,51 @@
items:
-- name: Keyboard Filter
+- name: About keyboard filter
+ href: index.md
+- name: Key Names
+ href: keyboardfilter-key-names.md
+- name: Predefined Key Combinations
+ href: predefined-key-combinations.md
+- name: WMI Provider Reference
items:
- - name: About keyboard filter
- href: index.md
- - name: Key Names
- href: keyboardfilter-key-names.md
- - name: Predefined Key Combinations
- href: predefined-key-combinations.md
- - name: WMI Provider Reference
+ - name: Overview
+ href: keyboardfilter-wmi-provider-reference.md
+ - name: Class WEKF_CustomKey
items:
- name: Overview
- href: keyboardfilter-wmi-provider-reference.md
- - name: Class WEKF_CustomKey
- items:
- - name: Overview
- href: wekf-customkey.md
- - name: Add
- href: wekf-customkeyadd.md
- - name: Remove
- href: wekf-customkeyremove.md
- - name: Class WEKF_PredefinedKey
- items:
- - name: Overview
- href: wekf-predefinedkey.md
- - name: Disable
- href: wekf-predefinedkeydisable.md
- - name: Enable
- href: wekf-predefinedkeyenable.md
- - name: Class WEKF_Scancode
- items:
- - name: Overview
- href: wekf-scancode.md
- - name: Add
- href: wekf-scancodeadd.md
- - name: Remove
- href: wekf-scancoderemove.md
- - name: Class WEKF-Settings
- href: wekf-settings.md
- - name: PowerShell script samples
+ href: wekf-customkey.md
+ - name: Add
+ href: wekf-customkeyadd.md
+ - name: Remove
+ href: wekf-customkeyremove.md
+ - name: Class WEKF_PredefinedKey
items:
- name: Overview
- href: keyboardfilter-powershell-script-samples.md
- - name: Add blocked key Combinations
- href: keyboardfilter-add-blocked-key-combinations.md
- - name: Disable all blocked key Combinations
- href: disable-all-blocked-key-combinations.md
- - name: List all configured key combinations
- href: keyboardfilter-list-all-configured-key-combinations.md
- - name: Modify global settings
- href: modify-global-settings.md
- - name: Remove key combination configurations
- href: remove-key-combination-configurations.md
\ No newline at end of file
+ href: wekf-predefinedkey.md
+ - name: Disable
+ href: wekf-predefinedkeydisable.md
+ - name: Enable
+ href: wekf-predefinedkeyenable.md
+ - name: Class WEKF_Scancode
+ items:
+ - name: Overview
+ href: wekf-scancode.md
+ - name: Add
+ href: wekf-scancodeadd.md
+ - name: Remove
+ href: wekf-scancoderemove.md
+ - name: Class WEKF-Settings
+ href: wekf-settings.md
+- name: PowerShell script samples
+ items:
+ - name: Overview
+ href: keyboardfilter-powershell-script-samples.md
+ - name: Add blocked key Combinations
+ href: keyboardfilter-add-blocked-key-combinations.md
+ - name: Disable all blocked key Combinations
+ href: disable-all-blocked-key-combinations.md
+ - name: List all configured key combinations
+ href: keyboardfilter-list-all-configured-key-combinations.md
+ - name: Modify global settings
+ href: modify-global-settings.md
+ - name: Remove key combination configurations
+ href: remove-key-combination-configurations.md
\ No newline at end of file
diff --git a/windows/configuration/assigned-access/images/kiosk.png b/windows/configuration/kiosk/images/kiosk.png
similarity index 100%
rename from windows/configuration/assigned-access/images/kiosk.png
rename to windows/configuration/kiosk/images/kiosk.png
diff --git a/windows/configuration/kiosk/images/restricted-user-experience-example.png b/windows/configuration/kiosk/images/restricted-user-experience-example.png
new file mode 100644
index 0000000000..0a63fc7bdb
Binary files /dev/null and b/windows/configuration/kiosk/images/restricted-user-experience-example.png differ
diff --git a/windows/configuration/assigned-access/images/restricted-user-experience.png b/windows/configuration/kiosk/images/restricted-user-experience.png
similarity index 100%
rename from windows/configuration/assigned-access/images/restricted-user-experience.png
rename to windows/configuration/kiosk/images/restricted-user-experience.png
diff --git a/windows/configuration/kiosk/index.md b/windows/configuration/kiosk/index.md
new file mode 100644
index 0000000000..5129be1a53
--- /dev/null
+++ b/windows/configuration/kiosk/index.md
@@ -0,0 +1,95 @@
+---
+title: Windows Single-App and Multi-App Kiosk Configuration Options Overview
+description: Learn how to configure Windows kiosks with single-app and multi-app options for a secure and enhanced user experience.
+ms.topic: overview
+ms.date: 3/7/2025
+---
+
+# Windows kiosks configuration options overview
+
+Organizations are constantly seeking ways to streamline operations, improve customer service, and enhance productivity. One effective solution is the deployment of kiosk devices. These specialized devices offer a range of benefits that can significantly impact an organization's efficiency and success. For example:
+
+- **Cost-effective customer service**: kiosks allow organizations to provide essential services without the need for dedicated staff. Whether it's checking in at a hotel, ordering food at a restaurant, or printing boarding passes at an airport, kiosks reduce labor costs while maintaining service quality. Customers appreciate the convenience of self-service options, leading to higher satisfaction levels
+- **Reduced wait times**: long queues and wait times frustrate customers and staff members. Kiosks expedite processes by allowing users to complete tasks independently. Whether it's paying bills, renewing memberships, or accessing information, kiosks empower users to get things done swiftly
+- **Consistent brand experience**: kiosks ensure a uniform brand experience across different locations. Whether in retail stores, schools, airports, or healthcare facilities, the interface remains consistent. Brand consistency builds trust and reinforces the organization's image
+- **Customization and flexibility**: kiosks can be tailored to specific needs. From touchscreens to barcode scanners, organizations choose features that align with their goals. Whether it's self-checkout, wayfinding, or interactive product catalogs, kiosks adapt to diverse requirements
+
+Windows offers two kiosk modes for public or specialized use:
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/kiosk.png" alt-text="Icon representing a kiosk." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Single-app kiosk
+ :::column-end:::
+:::row-end:::
+
+This option runs a single application in full screen, and people using the device can only use that app. When the designated kiosk account signs in, the kiosk app launches automatically. This option is sometimes referred to as *single-app kiosk*.
+
+Windows has two features to configure a single-app kiosk:
+
+- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts
+- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/restricted-user-experience.png" alt-text="Icon representing a restricted user experience." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Restricted user experience
+ :::column-end:::
+:::row-end:::
+
+This option loads the Windows desktop, but it only allows to run a defined set of applications. When the designated user signs in, the user can only run the apps that are allowed. The Start menu is customized to show only the apps that are allowed to execute. With this approach, you can configure a locked-down experience for different account types. This option is sometimes referred to as *multi-app kiosk*.
+
+:::image type="content" source="images/restricted-user-experience-example.png" alt-text="Screenshot of a restricted user experience in Windows 11." border="false":::
+
+To configure a restricted user experience, you use the **Assigned Access** feature.
+
+> [!NOTE]
+> You can't configure both Shell Launcher and Assigned Access on the same system.
+
+## Choose the right experience
+
+When you're considering a kiosk or restricted user experience, you need to choose the right experience for your needs. A good approach is to ask yourself the following set of questions:
+
+| | Question |
+|--|--|
+| **🔲** | *How many apps?* The number of apps determines the experience to build: **kiosk** or **restricted user experience**.|
+| **🔲** | *Desktop experience or custom?* If your users require access to the desktop with a custom Start menu, then you can build a **restricted user experience** with **Assigned Access**. If your users require access to multiple applications but with a custom user interface, then you should use **Shell Launcher**.|
+| **🔲** | *In single-app scenario, which type of app will your kiosk run?* If the kiosk requires a Universal Windows Platform (UWP) app or Microsoft Edge, you can build a **kiosk experience** with **Assigned Access**. If the kiosk requires a desktop app, you can build a **kiosk experience** with **Shell Launcher**.|
+| **🔲** | *Which edition of Windows client will the kiosk run?* **Assigned Access** is supported on Windows Pro and Enterprise/Education. **Shell Launcher** is only supported on Windows Enterprise and Education editions.|
+| **🔲** | *Which type of user account will be the kiosk account?* The kiosk account can be a local standard user account, a domain account, or a Microsoft Entra ID account, depending on the method that you use to configure the kiosk. If you require users to sign in and authenticate on the kiosk, you should use an Assigned Access multi-app kiosk configuration. The Assigned Access single-app kiosk configuration doesn't require users to sign in to the kiosk, although they can sign in to the kiosk app if you select an app that has a sign-in method.|
+
+> [!TIP]
+>
+> A benefit of using an Assigned Access kiosk mode is that a [set of policy settings](../assigned-access/policy-settings.md) are automatically applied to the device to optimize the lock-down experience. Shell Launcher doesn't have any default lockdown policies.
+
+## Microsoft Edge Kiosk Mode
+
+You can use Microsoft Edge kiosk mode to create an Assigned Access single-app or multi-app kiosk experience.
+
+[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser to create, manage, and provide the best experience for your customers. The following lockdown experiences are available:
+
+- Digital/Interactive Signage experience: Displays a specific site in full-screen mode
+- Public-Browsing experience: Runs a limited multi-tab version of Microsoft Edge
+
+Both experiences run a Microsoft Edge InPrivate session, which protects user data.
+
+To learn more, see [Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode).
+
+## Next steps
+
+Learn more about the Windows features to configure kiosk devices:
+
+- [Assigned Access](../assigned-access/index.md)
+- [Shell Launcher](../shell-launcher/index.md)
+
+### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
+
+If you're ready to configure kiosk devices, check out the following quickstarts:
+
+- [Quickstart: configure a single-app kiosk with Assigned Access](../assigned-access/quickstart-kiosk.md)
+- [Quickstart: configure a restricted user experience with Assigned Access](../assigned-access/quickstart-restricted-user-experience.md)
+- [Quickstart: configure a kiosk with Shell Launcher](../shell-launcher/quickstart-kiosk.md)
diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml
new file mode 100644
index 0000000000..a2431a662b
--- /dev/null
+++ b/windows/configuration/kiosk/toc.yml
@@ -0,0 +1,11 @@
+items:
+- name: Overview
+ href: index.md
+- name: Assigned Access
+ href: ../assigned-access/toc.yml
+- name: Shell Launcher
+ href: ../shell-launcher/toc.yml
+- name: Troubleshoot 🔗
+ href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
+- name: Configure Microsoft Edge kiosk mode 🔗
+ href: /deployedge/microsoft-edge-configure-kiosk-mode
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 80c1a38048..ecc3e67f2f 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -12,7 +12,7 @@ This article explains how to create and apply a provisioning package that contai
The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices:
- [Instructions for the desktop wizard](#start-a-new-project)
-- [Instructions for the kiosk wizard](../assigned-access/overview.md)
+- [Instructions for the kiosk wizard](../assigned-access/index.md)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
@@ -27,7 +27,7 @@ In this example, we use the **Provision desktop devices** option which helps you
- Create local administrator account
- Add applications and certificates
-> [IMPORTANT]
+> [!IMPORTANT]
> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
## Start a new project
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 14273f9e99..5f4740e31d 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -59,7 +59,7 @@ WCD supports the following scenarios for IT administrators:
Windows Configuration Designer provides the following simple provisioning scenarios:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-- [Instructions for the kiosk wizard](../assigned-access/overview.md)
+- [Instructions for the kiosk wizard](../assigned-access/index.md)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
diff --git a/windows/configuration/shell-launcher/browser-support.md b/windows/configuration/shell-launcher/browser-support.md
deleted file mode 100644
index 1c3b383033..0000000000
--- a/windows/configuration/shell-launcher/browser-support.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Browser Support
-ms.date: 03/30/2023
-ms.topic: concept-article
-description: Learn about browser support in Kiosk Mode
----
-
-# Browser Support
-
-Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
-
-## Microsoft Edge Kiosk Mode
-
-> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
-
-[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
-
-* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
-* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
-
-Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
-
-## Internet Explorer 11
-
-[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases.
-
-In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser.
-
-> [!NOTE]
-> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
->
-> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
-
-## Supported Versions
-
-| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge |
-|--|--|--|--|
-| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
-| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
-| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
-| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
-| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
-
-## Additional Resources
-
-* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
-* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/assigned-access/shell-launcher/configuration-file.md b/windows/configuration/shell-launcher/configuration-file.md
similarity index 97%
rename from windows/configuration/assigned-access/shell-launcher/configuration-file.md
rename to windows/configuration/shell-launcher/configuration-file.md
index 459b26e0a2..3216b451eb 100644
--- a/windows/configuration/assigned-access/shell-launcher/configuration-file.md
+++ b/windows/configuration/shell-launcher/configuration-file.md
@@ -1,7 +1,7 @@
---
title: Create a Shell Launcher configuration file
description: Learn how to create an XML file to configure a device with Shell Launcher.
-ms.date: 10/31/2024
+ms.date: 3/7/2025
ms.topic: how-to
---
@@ -104,7 +104,7 @@ Each profile defines a `Shell` element, which contains details about the applica
| Property| Description | Details |
|-|-|-|
-|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../../store/find-aumid.md). - For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
+|`Shell`| Application that is used as a Windows shell. |- For Universal Windows Platform (UWP) apps, you must provide the App User Model ID (AUMID). Learn how to [Find the Application User Model ID of an installed app](../store/find-aumid.md). - For desktop apps, specify the full path of the executable, which can contain system environment variables in the form of `%variableName%`. You can also specify any parameters that the app might require. |
|`V2:AppType`| Defines the type of application. |Allowed values are `Desktop` and `UWP`.|
|`V2:AllAppsFullScreen` | Boolean value that defines if all applications are executed in full screen. |- When set to `true`, Shell Launcher runs every app in full screen, or maximized for desktop apps. - When set to `false` or not set, only the custom shell app runs in full screen; other apps launched by the user run in windowed mode.|
diff --git a/windows/configuration/shell-launcher/configure-wmi.md b/windows/configuration/shell-launcher/configure-wmi.md
new file mode 100644
index 0000000000..b2d734e9ba
--- /dev/null
+++ b/windows/configuration/shell-launcher/configure-wmi.md
@@ -0,0 +1,143 @@
+---
+title: Configure Shell Launcher with the WMI provider
+description: Learn how to configure a Windows kiosk using the WMI provider for Shell Launcher.
+ms.date: 3/7/2025
+ms.topic: reference
+---
+
+# Configure Shell Launcher with the WMI provider
+
+This article provides a guide on configuring Shell Launcher using the WMI provider, which consists of a set of classes for managing Shell Launcher settings.
+
+Included in this article is a PowerShell script that demonstrates how to utilize the WMI provider for configuring Shell Launcher. The script offers examples on setting the default shell, assigning a custom shell to a user, and removing a custom shell. Additionally, the WMI provider can be used to enable or disable Shell Launcher.
+
+> [!IMPORTANT]
+> The script is not intended to be run as-is. You must modify the script to match your environment and requirements. For example, you must change the user name in the script to match an existing user on your system. The script is provided as a reference only.
+
+```PowerShell
+# Verify Shell Launcher license
+
+function Check-ShellLauncherLicenseEnabled
+{
+ [string]$source = @"
+using System;
+using System.Runtime.InteropServices;
+
+static class CheckShellLauncherLicense
+{
+ const int S_OK = 0;
+
+ public static bool IsShellLauncherLicenseEnabled()
+ {
+ int enabled = 0;
+
+ if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
+ enabled = 0;
+ }
+ return (enabled != 0);
+ }
+
+ static class NativeMethods
+ {
+ [DllImport("Slc.dll")]
+ internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
+ }
+
+}
+"@
+
+ $type = Add-Type -TypeDefinition $source -PassThru
+
+ return $type[0]::IsShellLauncherLicenseEnabled()
+}
+
+[bool]$result = $false
+
+$result = Check-ShellLauncherLicenseEnabled
+"`nShell Launcher license enabled is set to " + $result
+if (-not($result))
+{
+ "`nThis device doesn't have required license to use Shell Launcher"
+ exit
+}
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+try {
+ $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+ } catch [Exception] {
+ write-host $_.Exception.Message;
+ write-host "Make sure Shell Launcher feature is enabled"
+ exit
+ }
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+$do_nothing = 3
+
+# Examples. You can change these examples to use the program that you want to use as the shell.
+
+# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Enable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($TRUE)
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+
+# Disable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($FALSE)
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+```
diff --git a/windows/configuration/shell-launcher/configure.md b/windows/configuration/shell-launcher/configure.md
new file mode 100644
index 0000000000..da5de3ddb3
--- /dev/null
+++ b/windows/configuration/shell-launcher/configure.md
@@ -0,0 +1,266 @@
+---
+title: Configure Shell Launcher
+description: Learn how to configure Shell Launcher.
+ms.date: 3/7/2025
+ms.topic: how-to
+---
+
+# Configure Shell Launcher
+
+There are two ways you can configure Shell Launcher:
+
+1. Using the `ShellLauncher` node of the [Assigned Access Configuration Service Provider (CSP)](/windows/client-management/mdm/assignedaccess-csp), which also automatically enables Shell Launcher on the device, if the device supports it
+1. Using the **Shell Launcher WMI providers** directly in an application. When using this method, you must [enable Shell Launcher](#enable-shell-launcher) first
+
+You can configure the following options for Shell Launcher:
+
+- Add/remove a shell configuration for a specific user or group
+- Change the default shell configuration
+- Get information on a shell configuration for a specific user or group
+
+> [!NOTE]
+> Any changes don't take effect until a user signs in.
+
+## Enable Shell Launcher
+
+Shell Launcher is an optional component in Windows that is not enabled by default. To configure it, you must first enable it. You can enable and configure Shell Launcher in a customized Windows image, or you can enable it before applying a provisioning package to configure it.
+
+> [!NOTE]
+> When you configure Shell Launcher with the Assigned Access Configuration Service Provider (CSP), Shell Launcher is automatically enabled, if the device supports it. There's no need to enable Shell Launcher separately when you configure it using Assigned Access CSP.
+
+There are multiple ways to enable Shell Launcher, select the method that best fits your needs to learn more.
+
+#### [:::image type="icon" source="../images/icons/control-panel.svg"::: **Control Panel**](#tab/control-panel1)
+
+To enable Shell Launcher using Control Panel, follow these steps:
+
+1. Open **Control Panel** > **Programs** > **Turn Windows features on or off** or use the command `optionalfeatures.exe`
+1. Expand **Device Lockdown** and select **Shell Launcher**
+1. Select **OK** to enable Shell Launcher
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/powershell1)
+
+To enable Shell Launcher using PowerShell, follow these steps:
+
+1. Open a PowerShell window with administrator privileges
+1. Run the following command:
+
+ ```powershell
+ Enable-WindowsOptionalFeature -FeatureName Client-DeviceLockdown,Client-EmbeddedShellLauncher -Online
+ ```
+
+#### [:::image type="icon" source="../images/icons/settings.svg"::: **DISM**](#tab/dism1)
+
+The following example uses a Windows image called `install.wim`, but you can use the same procedure to apply a provisioning package.
+
+1. Open a command prompt with administrator privileges.
+1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called `C:\wim`)
+1. Modify the following script to match your environment:
+
+```cmd
+@echo off
+REM Create a new directory
+md c:\wim
+
+REM Mount the image
+dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+
+REM Enable the feature
+dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
+
+REM Commit the change
+dism /unmount-wim /MountDir:c:\wim /Commit
+```
+
+For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
+
+#### [:::image type="icon" source="../images/icons/dev.svg"::: **WMI**](#tab/wmi)
+
+You can enable or disable Shell Launcher by calling the `SetEnabled` function in the Windows Management Instrumentation (WMI) class `WESL_UserSetting`.
+
+For more information, see [WESL_UserSetting](wesl-usersetting.md).
+
+---
+
+## Launch different shells for different user accounts
+
+By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to the Windows Command Processor (`Cmd.exe`), but you can specify any executable file to be the default shell.
+
+You can also configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to launch a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts for servicing the device.
+
+When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
+
+> [!NOTE]
+> If you use the WMI provider to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that security principal. You can't use the user name or group name.
+>
+> For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
+
+## Shell Launcher startup and exit behavior
+
+Shell Launcher processes the `Run` and `RunOnce` registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
+
+Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs. When a custom shell exits, Shell Launcher can perform one of four actions:
+
+- `0`: Restart the shell
+- `1`: Restart the device
+- `2`: Shut down the device
+- `3`: Do nothing
+
+> [!IMPORTANT]
+> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
+
+### Default return code action
+
+You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
+
+### Map the exit code to a Shell Launcher action
+
+Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
+
+If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
+
+For example, your shell might return exit code values of `-1`, `0`, `1`, or `255` depending on how the shell exits. You can configure Shell Launcher to:
+
+- restart the device (`1`) when the shell returns an exit code of value `-1`
+- restart the shell (`0`) when the shell returns an exit code of value `0`
+- do nothing (`3`) when the shell returns an exit code of value 1
+- shut down the device (`2`) when the shell returns an exit code of value `255`
+
+Your custom return code action mapping would look like this:
+
+|Exit code|Action|
+|:----:|----|
+|`-1`|`1` (restart the device)|
+|`0`|`0` (restart the shell)|
+|`1`|`3` (do nothing)|
+|`255`|`2` (shut down the device)|
+
+## Set your custom shell with the Assigned Access CSP
+
+The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
+
+- A Mobile Device Management (MDM) solution, like Microsoft Intune
+- Provisioning packages
+- The MDM Bridge WMI Provider
+
+> [!NOTE]
+> Configuring Shell Launcher using Assigned Access CSP, automatically enables Shell Launcher on the device, if the device supports it.
+
+To learn how to configure the Shell Launcher XML file, see [Create a Shell Launcher configuration file](configuration-file.md).
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+You can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
+
+- **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
+- **Value:** content of the XML configuration file
+
+Assign the policy to a group that contains as members the devices that you want to configure.
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+You can configure Shell Launcher by creating a provisioning package and then applying the provisioning package during image deployment time or at runtime:
+
+- If you're creating an installation media with settings for Shell Launcher included in the image, or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM for a provisioning package to successfully apply
+- If exectuing the provisioning package at runtime, ensure to [enable Shell Launcher](#enable-shell-launcher) before applying the provisioning package
+
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
+
+| Path | Setting name | Value |
+|--|--|--|
+| `SMISettings/ShellLauncher/` | `Enable` | ENABLE |
+| `SMISettings/ShellLauncher/` | * | It depends on specific settings. |
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+
+```PowerShell
+$shellLauncherConfiguration = @"
+
+# content of the XML configuration file
+
+"@
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+if($cimSetError) {
+ Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
+ Write-Error -ErrorRecord $cimSetError[0]
+
+ $timeout = New-TimeSpan -Seconds 30
+ $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
+ do{
+ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
+ } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
+
+ if($events.Count) {
+ $events | ForEach-Object {
+ Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
+ }
+ } else {
+ Write-Warning "Timed-out attempting to retrieve event logs..."
+ }
+
+ Exit 1
+}
+
+Write-Output "Successfully applied Shell Launcher configuration"
+```
+
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+
+---
+
+> [!TIP]
+> For practical examples, see the [Quickstart: configure a kiosk experience with Shell Launcher](quickstart-kiosk.md).
+
+## User experience
+
+After the settings are applied, the users that are configured to use Shell Launcher will execute the custom shell after sign-in.
+
+Depending on your configuration, you can have a user to automatically sign in to the device.
+
+## Remove Shell Launcher
+
+Here are the options to remove Shell Launcher, select the method that best fits your needs:
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+Unassign or delete the policy that contains the configuration.
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+Uninstall the provisioning package that contains the configuration.
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+```PowerShell
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = $null
+Set-CimInstance -CimInstance $obj
+```
+
+---
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn how to configure the Shell Launcher XML file:
+>
+> [Create a Shell Launcher configuration file](configuration-file.md)
+
+
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md b/windows/configuration/shell-launcher/includes/quickstart-intune.md
similarity index 99%
rename from windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
rename to windows/configuration/shell-launcher/includes/quickstart-intune.md
index 67b1c7788a..e2aef9a69d 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-intune.md
+++ b/windows/configuration/shell-launcher/includes/quickstart-intune.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 10/31/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md b/windows/configuration/shell-launcher/includes/quickstart-ps.md
similarity index 98%
rename from windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
rename to windows/configuration/shell-launcher/includes/quickstart-ps.md
index d6c03611c6..f8cccb47f1 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-ps.md
+++ b/windows/configuration/shell-launcher/includes/quickstart-ps.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 10/31/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md b/windows/configuration/shell-launcher/includes/quickstart-xml.md
similarity index 98%
rename from windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
rename to windows/configuration/shell-launcher/includes/quickstart-xml.md
index 085c937378..95ba5d01a1 100644
--- a/windows/configuration/assigned-access/shell-launcher/includes/quickstart-xml.md
+++ b/windows/configuration/shell-launcher/includes/quickstart-xml.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 10/31/2024
+ms.date: 3/7/2025
ms.topic: include
---
diff --git a/windows/configuration/shell-launcher/index.md b/windows/configuration/shell-launcher/index.md
index 50eeb99ef6..b10c77dc23 100644
--- a/windows/configuration/shell-launcher/index.md
+++ b/windows/configuration/shell-launcher/index.md
@@ -1,344 +1,65 @@
---
-title: Shell Launcher
-description: Shell Launcher
-ms.date: 06/07/2018
+title: Shell Launcher Overview
+description: Learn how to configure devices with Shell Launcher.
+ms.date: 3/7/2025
ms.topic: overview
---
-# Shell Launcher
+# Shell Launcher overview
-Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (`Explorer.exe`) with a Windows desktop application or a Universal Windows Platform (UWP) app. This feature is useful for creating a custom user experience on devices that are used for a specific purpose, including kiosks, ATMs, and digital signage.
-You can also configure Shell Launcher to launch different shell applications for different users or user groups.
+Shell Launcher controls which application a user gets as the shell after sign-in. It doesn't prevent a user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand. You can also configure Shell Launcher to launch different shell applications for different users or user groups.
-There are a few exceptions to the applications and executables you can use as a custom shell:
+With Shell Launcher, you can use features and methods to control access to other applications or system components. These methods include, but aren't limited to:
-- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
-- You can't use a Universal Windows app as a custom shell.
-- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
-- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
-- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
+- Configuration Service Provider (CSP)
+- Group policy (GPO)
+- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
-> [!NOTE]
-> You cannot configure both Shell Launcher and assigned access on the same system.
->
-> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
+[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)]
-Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
+## Shell Launcher version history
-Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
+Shell Launcher has undergone several iterations since its introduction, with the most notable being Shell Launcher v1 and Shell Launcher v2. Each version has brought improvements and new features to enhance the user experience and functionality of custom shells in Windows environments:
-Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
+- Shell Launcher v1 was the original implementation, introduced to provide basic functionality for replacing the default shell. However, it had limitations, such as only supporting Win32 applications as custom shells and lacking flexibility for handling modern app scenarios
+- Shell Launcher v2, introduced with Windows 10, version 1809, added support for Universal Windows Platform (UWP) apps as custom shells, making it more versatile for modern environments
-> [!NOTE]
->
-> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
->
-> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
+### Differences between Shell Launcher v1 and Shell Launcher v2
-## Differences between Shell Launcher v1 and Shell Launcher v2
+- Shell Launcher v1 replaces `Explorer.exe` with `Eshell.exe`, which can only launch a Windows desktop application
+- Shell Launcher v2 replaces `Explorer.exe` with `CustomShellHost.exe`, which can launch a Windows desktop application or a UWP app
+- In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
+ - You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard
+ - From a custom UWP shell, you can launch secondary views and run on multiple monitors
+ - The custom shell app runs in full screen, and can run other apps in full screen on user's demand
-Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
-Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
-In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
-
-- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
-- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
-- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
-## Requirements
+## Limitations
-Windows 10 Enterprise or Windows 10 Education.
+Here are some limitations to consider when using Shell Launcher:
-## Terminology
-
-- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
-- **Configure:** To customize the setting or subsettings.
-- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
-- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
-
-## Turn on Shell Launcher
-
-Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
-
-### Enable Shell Launcher using Control Panel
-
-1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
-1. In the **Programs and Features** window, select **Turn Windows features on or off**.
-1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
-1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
-1. Select **Close** to close the **Windows Features** window.
-
-> [!NOTE]
-> Turning on Shell Launcher does not require a device restart.
-
-### Enable Shell Launcher by calling WESL_UserSetting
-
-1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
-1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
-
-This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
-
-### Enable Shell Launcher using DISM
-
-1. Open a command prompt with administrator privileges.
-1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
-1. Create a new directory.
-
- ```CMD
- md c:\wim
- ```
-
-1. Mount the image.
-
- ```CMD
- dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
- ```
-
-1. Enable the feature.
-
- ```CMD
- dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
- ```
-
-1. Commit the change.
-
- ```CMD
- dism /unmount-wim /MountDir:c:\wim /Commit
- ```
-
-### Enable Shell Launcher using Windows Configuration Designer
-
-The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
-
-Use the following steps to create a provisioning package that contains the ShellLauncher settings.
-
-1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
-1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
-1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
-1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
-
-## Configure Shell Launcher
-
-There are two ways you can configure Shell Launcher:
-
-1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
-1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
-
-You can configure the following options for Shell Launcher:
-
-- Enable or disable Shell Launcher.
-- Specify a shell configuration for a specific user or group.
-- Remove a shell configuration for a specific user or group.
-- Change the default shell configuration.
-- Get information on a shell configuration for a specific user or group.
-
-Any changes don't take effect until a user signs in.
-
-## Launch different shells for different user accounts
-
-By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
-
-You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
-
-If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
-
-For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
-
-When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
-
-## Perform an action when the shell exits
-
-When a custom shell exits, Shell Launcher can perform one of four actions:
-
-|Action|Description|
-|:---:|:---|
-|0|Restart the shell.|
-|1|Restart the device.|
-|2|Shut down the device.|
-|3|Do nothing.|
-
-> [!IMPORTANT]
-> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
-
-### Default return code action
-
-You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
-
-### Map the exit code to a Shell Launcher action
-
-Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
-
-If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
-
-For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
-
-- restart the device (1) when the shell returns an exit code of value -1
-- restart the shell (0) when the shell returns an exit code of value 0
-- do nothing (3) when the shell returns an exit code of value 1
-- shut down the device (2) when the shell returns an exit code of value 255
-
-Your custom return code action mapping would look like this:
-
-|Exit code|Action|
-|:----:|----|
-|-1|1 (restart the device)|
-|0|0 (restart the shell)|
-|1|3 (do nothing)|
-|255|2 (shut down the device)|
-
-## Set your custom shell
-
-Modify the following PowerShell script as appropriate and run the script on the device.
-
-```PowerShell
-# Check if shell launcher license is enabled
-function Check-ShellLauncherLicenseEnabled
-{
- [string]$source = @"
-using System;
-using System.Runtime.InteropServices;
-
-static class CheckShellLauncherLicense
-{
- const int S_OK = 0;
-
- public static bool IsShellLauncherLicenseEnabled()
- {
- int enabled = 0;
-
- if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
- enabled = 0;
- }
- return (enabled != 0);
- }
-
- static class NativeMethods
- {
- [DllImport("Slc.dll")]
- internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
- }
-
-}
-"@
-
- $type = Add-Type -TypeDefinition $source -PassThru
-
- return $type[0]::IsShellLauncherLicenseEnabled()
-}
-
-[bool]$result = $false
-
-$result = Check-ShellLauncherLicenseEnabled
-"`nShell Launcher license enabled is set to " + $result
-if (-not($result))
-{
- "`nThis device doesn't have required license to use Shell Launcher"
- exit
-}
-
-$COMPUTER = "localhost"
-$NAMESPACE = "root\standardcimv2\embedded"
-
-# Create a handle to the class instance so we can call the static methods.
-try {
- $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
- } catch [Exception] {
- write-host $_.Exception.Message;
- write-host "Make sure Shell Launcher feature is enabled"
- exit
- }
-
-
-# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
-
-$Admins_SID = "S-1-5-32-544"
-
-# Create a function to retrieve the SID for a user account on a machine.
-
-function Get-UsernameSID($AccountName) {
-
- $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
- $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
-
- return $NTUserSID.Value
-}
-
-# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
-
-$Cashier_SID = Get-UsernameSID("Cashier")
-
-# Define actions to take when the shell program exits.
-
-$restart_shell = 0
-$restart_device = 1
-$shutdown_device = 2
-$do_nothing = 3
-
-# Examples. You can change these examples to use the program that you want to use as the shell.
-
-# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
-
-$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
-
-# Display the default shell to verify that it was added correctly.
-
-$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
-
-"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
-
-# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
-
-$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
-
-# Set Explorer as the shell for administrators.
-
-$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
-
-# View all the custom shells defined.
-
-"`nCurrent settings for custom shells:"
-Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
-
-# Enable Shell Launcher
-
-$ShellLauncherClass.SetEnabled($TRUE)
-
-$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
-
-"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
-
-# Remove the new custom shells.
-
-$ShellLauncherClass.RemoveCustomShell($Admins_SID)
-
-$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
-
-# Disable Shell Launcher
-
-$ShellLauncherClass.SetEnabled($FALSE)
-
-$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
-
-"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
-```
-
-> [!NOTE]
-> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
+- Windows doesn't support setting a custom shell before the out-of-box experience (OOBE). If you do, you can't deploy the resulting image
+- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you can't specify `write.exe` in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. `Write.exe` creates a 32-bit `wordpad.exe` process and exits. Since Shell Launcher isn't aware of the newly created `wordpad.exe` process, Shell Launcher takes action based on the exit code of `Write.exe`, such as restarting the custom shell
## Shell Launcher user rights
-A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
+A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrative rights can perform any system action that requires administrative rights, including launching other applications with administrative rights.
> [!WARNING]
-> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
+> If your shell application requires administrative rights and needs to be elevated, and User Account Control (UAC) is enabled, you must disable UAC for Shell Launcher to launch the shell application.
-## Related articles
+## Next steps
-- [Unbranded Boot](../unbranded-boot/index.md)
-- [Custom Logon](../custom-logon/index.md)
-- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
-- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
-- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
-- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)
+> [!div class="nextstepaction"]
+> Learn how to configure Shell Launcher:
+>
+> [Configure Shell Launcher](configure.md)
+
+### :::image type="icon" source="../images/icons/rocket.svg" border="false"::: Quickstarts
+
+If you want to quickly test Shell Launcher, check out the following quickstart:
+
+- [Quickstart: configure a kiosk with Shell Launcher](quickstart-kiosk.md)
diff --git a/windows/configuration/shell-launcher/kiosk-mode.md b/windows/configuration/shell-launcher/kiosk-mode.md
deleted file mode 100644
index d5285fa51d..0000000000
--- a/windows/configuration/shell-launcher/kiosk-mode.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Kiosk Mode
-ms.date: 01/18/2024
-ms.topic: overview
-description: Learn about Kiosk Mode in Windows IoT Enterprise.
----
-
-# Kiosk mode
-
-Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md).
-
-Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
-
-> [!NOTE]
->
-> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience.
-
-## Which type of app will your kiosk run?
-
-Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app).
-
-## Which type of kiosk do you need?
-
-If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic).
-
-For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop).
-
-## Which type of user account will be the kiosk account?
-
-The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
-
-## Kiosk capabilities for Windows 10 IoT Enterprise
-
-| Mode | Features | Description | Customer Usage |
-|------|----------|------------ |-----------------|
-| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices
-| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs |
-| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles. Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices |
-| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience |
-
-## How to configure your device for kiosk mode?
-
-Visit the following documentation to set up a kiosk according to your scenario:
-
-* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
-* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
-* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
-* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
-
-## Additional Resources
-
-* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app)
-* [Validate your kiosk configuration](/windows/configuration/kiosk-validate)
-* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app)
-* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies)
-* [Assigned access XML reference](/windows/configuration/kiosk-xml)
-* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker)
-* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher)
-* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge)
-* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
-* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/shell-launcher/multi-app-kiosk.md b/windows/configuration/shell-launcher/multi-app-kiosk.md
deleted file mode 100644
index b77d2fd604..0000000000
--- a/windows/configuration/shell-launcher/multi-app-kiosk.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Multi-App Kiosk
-ms.date: 08/16/2023
-ms.topic: concept-article
-description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
----
-
-# Assigned access multi-app kiosk
-
-An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
-
-> [!NOTE]
-> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return.
->
-> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
-
-## Benefits of using a multi-app kiosk
-
-The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access.
-
-A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
-
-## Configuring your multi-app kiosk
-
-* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
-* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
-
-> [!NOTE]
->
-> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device.
-
-## More Resources
-
-* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
-* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
-* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
-* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
-* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
-* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md b/windows/configuration/shell-launcher/quickstart-kiosk.md
similarity index 67%
rename from windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
rename to windows/configuration/shell-launcher/quickstart-kiosk.md
index c843e767a5..c7e587aafe 100644
--- a/windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md
+++ b/windows/configuration/shell-launcher/quickstart-kiosk.md
@@ -1,11 +1,11 @@
---
-title: "Quickstart: configure a kiosk experience with Shell Launcher"
-description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
+title: "Quickstart: configure a single-app kiosk with Shell Launcher"
+description: Learn how to configure a signle-app kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
ms.topic: quickstart
-ms.date: 10/31/2024
+ms.date: 3/7/2025
---
-# Quickstart: configure a kiosk experience with Shell Launcher
+# Quickstart: configure a kiosk with Shell Launcher
This quickstart provides practical examples of how to configure a *kiosk experience* on Windows with Shell Launcher. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, and PowerShell. While different solutions are used, the configuration settings and results are the same.
@@ -22,9 +22,9 @@ The examples can be modified to fit your specific requirements. For example, you
## Configure a kiosk device
-[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!TIP]
> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
@@ -42,13 +42,13 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
[!INCLUDE [quickstart-xml](includes/quickstart-xml.md)]
-#### [:::image type="icon" source="../../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
-[!INCLUDE [powershell-wmi-bridge-1](../../../../includes/configure/powershell-wmi-bridge-1.md)]
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
[!INCLUDE [quickstart-ps](includes/quickstart-ps.md)]
-[!INCLUDE [powershell-wmi-bridge-2](../../../../includes/configure/powershell-wmi-bridge-2.md)]
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
---
@@ -56,6 +56,20 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
After the settings are applied, reboot the device. A local user account is automatically signed in, opening Microsoft Edge.
+## Remove Shell Launcher
+
+Once you no longer need the kiosk configuration, you can remove it.
+
+Here's a PowerShell example to remove the Shell Launcher configuration:
+
+```powershell
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.ShellLauncher = $null
+Set-CimInstance -CimInstance $obj
+```
+
## Next steps
> [!div class="nextstepaction"]
diff --git a/windows/configuration/shell-launcher/single-app-kiosk.md b/windows/configuration/shell-launcher/single-app-kiosk.md
deleted file mode 100644
index 541fb49a2e..0000000000
--- a/windows/configuration/shell-launcher/single-app-kiosk.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Assigned access Single-App Kiosk
-ms.date: 03/30/2023
-ms.topic: concept-article
-description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
----
-
-# Assigned access single-app kiosk
-
-A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
-
-> [!NOTE]
->
-> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
-
-## Benefits of using a single-app kiosk
-
-A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
-
-## Configuring your single-app kiosks
-
-You have several options for configuring your single-app kiosk.
-
-* [Settings App](/windows/configuration/kiosk-single-app#local)
-* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
-* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
-* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
-
-> [!TIP]
-> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
-
-## Additional Resources
-
-* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
-* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
-* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
-* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
-* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/shell-launcher/toc.yml b/windows/configuration/shell-launcher/toc.yml
index 07c18e4e82..e9df21bfa8 100644
--- a/windows/configuration/shell-launcher/toc.yml
+++ b/windows/configuration/shell-launcher/toc.yml
@@ -1,25 +1,33 @@
-
items:
-- name: Shell Launcher
+- name: Overview
+ href: index.md
+- name: Configure Shell Launcher
+ href: configure.md
+- name: "Quickstart: Configure a kiosk"
+ href: quickstart-kiosk.md
+- name: Create a configuration file
+ href: configuration-file.md
+- name: Reference
items:
- - name: Overview
- href: index.md
- - name: WMI Provider Reference
- items:
- - name: Class WESL_UserSetting
- href: wesl-usersetting.md
- - name: GetCustomShell
- href: wesl-usersettinggetcustomshell.md
- - name: GetDefaultShell
- href: wesl-usersettinggetdefaultshell.md
- - name: IsEnabled
- href: wesl-usersettingisenabled.md
- - name: RemoveCustomShell
- href: wesl-usersettingremovecustomshell.md
- - name: SetCustomShell
- href: wesl-usersettingsetcustomshell.md
- - name: SetDefaultShell
- href: wesl-usersettingsetdefaultshell.md
- - name: SetEnabled
- href: wesl-usersettingsetenabled.md
-
+ - name: Shell Launcher XSD
+ href: xsd.md
+ - name: WMI Provider
+ items:
+ - name: Class WESL_UserSetting
+ href: wesl-usersetting.md
+ - name: GetCustomShell
+ href: wesl-usersettinggetcustomshell.md
+ - name: GetDefaultShell
+ href: wesl-usersettinggetdefaultshell.md
+ - name: IsEnabled
+ href: wesl-usersettingisenabled.md
+ - name: RemoveCustomShell
+ href: wesl-usersettingremovecustomshell.md
+ - name: SetCustomShell
+ href: wesl-usersettingsetcustomshell.md
+ - name: SetDefaultShell
+ href: wesl-usersettingsetdefaultshell.md
+ - name: SetEnabled
+ href: wesl-usersettingsetenabled.md
+ - name: Configure Shell Launcher with WMI
+ href: configure-wmi.md
\ No newline at end of file
diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md
index ce3019dbf0..7fdf75bdd5 100644
--- a/windows/configuration/shell-launcher/wesl-usersetting.md
+++ b/windows/configuration/shell-launcher/wesl-usersetting.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting
description: WESL_UserSetting
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This class configures which application Shell Launcher starts based on the secur
## Syntax
-```powershell
+```mof
class WESL_UserSetting {
[read, write, Required] string Sid;
[read, write, Required] string Shell;
@@ -76,10 +76,10 @@ The following tables list any methods and properties that belong to this class.
| Property | Data type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Sid** | string | [read, write, required] | User or group SID. |
-| **shell** | string | [read, write, required] | The application to start as the shell.The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.Any spaces in the **shell** property must be part of a quote-delimited string. |
+| **shell** | string | [read, write, required] | The application to start as the shell. The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path. Any spaces in the **shell** property must be part of a quote-delimited string. |
| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. |
-| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.The possible actions are:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
-| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.The possible actions are defined as follows:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
+| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**. The possible actions are: 0 - Restart the shell. 1 - Restart the device. 2 - Shut down the device. 3 - Do nothing. |
+| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits. The possible actions are defined as follows: 0 - Restart the shell. 1 - Restart the device. 2 - Shut down the device. 3 - Do nothing. |
### Remarks
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
index 6be4813c8c..13bb720876 100644
--- a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.GetCustomShell
description: WESL_UserSetting.GetCustomShell
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method retrieves the Shell Launcher configuration for a specific user or gr
## Syntax
-```powershell
+```mof
[Static] uint32 GetCustomShell (
[In, Required] string Sid,
[Out, Required] string Shell,
@@ -25,13 +25,13 @@ This method retrieves the Shell Launcher configuration for a specific user or gr
## Parameters
-**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+**Sid** \[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
-**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+**Shell** \[out, required\] The application or executable that Shell Launcher starts as the shell.
-**CustomReturnCodes**\[out, required\] An array of custom return codes returned by the shell application.
+**CustomReturnCodes** \[out, required\] An array of custom return codes returned by the shell application.
-**CustomReturnCodesAction**\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+**CustomReturnCodesAction** \[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
@@ -42,7 +42,7 @@ The possible actions are defined in the following table:
| 2 | Shut down the device. |
| 3 | Do nothing. |
-**DefaultAction**\[out, required\] The default action that Shell Launcher takes when the shell application exits.
+**DefaultAction** \[out, required\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
index c32948ad15..1494b1f22d 100644
--- a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.GetDefaultShell
description: WESL_UserSetting.GetDefaultShell
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method retrieves the default Shell Launcher configuration.
## Syntax
-```powershell
+```mof
[Static] uint32 GetDefaultShell (
[Out, Required] string Shell,
[Out, Required] sint32 DefaultAction
@@ -22,9 +22,9 @@ This method retrieves the default Shell Launcher configuration.
## Parameters
-**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+**Shell** \[out, required\] The application or executable that Shell Launcher starts as the shell.
-**DefaultAction**\[out, required\] The default action Shell Launcher takes when the shell application exits.
+**DefaultAction** \[out, required\] The default action Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
index 1125bb1d92..70df90e02b 100644
--- a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
+++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.IsEnabled
description: WESL_UserSetting.IsEnabled
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method retrieves a value that indicates if Shell Launcher is enabled or dis
## Syntax
-```powershell
+```mof
[Static] uint32 IsEnabled(
[Out, Required] boolean Enabled
);
@@ -21,7 +21,7 @@ This method retrieves a value that indicates if Shell Launcher is enabled or dis
## Parameters
-**Enabled**\[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
+**Enabled** \[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
## Return Value
diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
index e5058577a9..bea8a865f5 100644
--- a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
+++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.RemoveCustomShell
description: WESL_UserSetting.RemoveCustomShell
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method removes a Shell Launcher configuration for a specific user or group,
## Syntax
-```powershell
+```mof
[Static] uint32 RemoveCustomShell (
[In, Required] string Sid
);
@@ -21,7 +21,7 @@ This method removes a Shell Launcher configuration for a specific user or group,
## Parameters
-**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+**Sid** \[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
## Return Value
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
index 5b788c9295..50d659fe00 100644
--- a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetCustomShell
description: WESL_UserSetting.SetCustomShell
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method configures Shell Launcher for a specific user or group, based on the
## Syntax
-```powershell
+```mof
[Static] uint32 SetCustomShell (
[In, Required] string Sid,
[In, Required] string Shell,
@@ -25,13 +25,13 @@ This method configures Shell Launcher for a specific user or group, based on the
## Parameters
-**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
+**Sid** \[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
-**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+**Shell** \[in, required\] The application or executable that Shell Launcher starts as the shell.
-**CustomReturnCodes**\[in\] An array of custom return codes that can be returned by the shell application.
+**CustomReturnCodes** \[in\] An array of custom return codes that can be returned by the shell application.
-**CustomReturnCodesAction**\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+**CustomReturnCodesAction** \[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
@@ -42,7 +42,7 @@ The possible actions are defined in the following table:
| 2 | Shut down the device. |
| 3 | Do nothing. |
-**DefaultAction**\[In\] The default action that Shell Launcher takes when the shell application exits.
+**DefaultAction** \[In\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
index d829d7d717..30f9c928c2 100644
--- a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetDefaultShell
description: WESL_UserSetting.SetDefaultShell
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method sets the default Shell Launcher configuration.
## Syntax
-```powershell
+```mof
[Static] uint32 SetDefaultShell (
[In, Required] string Shell,
[In, Required] sint32 DefaultAction
@@ -22,9 +22,9 @@ This method sets the default Shell Launcher configuration.
## Parameters
-**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+**Shell** \[in, required\] The application or executable that Shell Launcher starts as the shell.
-**DefaultAction**\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
+**DefaultAction** \[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
The possible actions are defined in the following table:
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
index 64d952bf88..e664e017f0 100644
--- a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
@@ -1,7 +1,7 @@
---
title: WESL_UserSetting.SetEnabled
description: WESL_UserSetting.SetEnabled
-ms.date: 02/25/2025
+ms.date: 3/7/2025
ms.topic: reference
---
@@ -13,7 +13,7 @@ This method enables or disables Shell Launcher.
## Syntax
-```powershell
+```mof
[Static] uint32 SetEnabled(
[In, Required] boolean Enabled
);
@@ -21,7 +21,7 @@ This method enables or disables Shell Launcher.
## Parameters
-**Enabled**\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
+**Enabled** \[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
## Return Value
diff --git a/windows/configuration/assigned-access/shell-launcher/xsd.md b/windows/configuration/shell-launcher/xsd.md
similarity index 99%
rename from windows/configuration/assigned-access/shell-launcher/xsd.md
rename to windows/configuration/shell-launcher/xsd.md
index 3dcc586570..0ad8f7aa2d 100644
--- a/windows/configuration/assigned-access/shell-launcher/xsd.md
+++ b/windows/configuration/shell-launcher/xsd.md
@@ -2,7 +2,7 @@
title: Shell Launcher XML Schema Definition (XSD)
description: Shell Launcher XSD reference article.
ms.topic: reference
-ms.date: 10/31/2024
+ms.date: 3/7/2025
---
# Shell Launcher XML Schema Definition (XSD)
diff --git a/windows/configuration/start/images/windows-11-settings.png b/windows/configuration/start/images/windows-11-settings.png
index 18150b3ff8..4875433cbc 100644
Binary files a/windows/configuration/start/images/windows-11-settings.png and b/windows/configuration/start/images/windows-11-settings.png differ
diff --git a/windows/configuration/start/images/windows-11.png b/windows/configuration/start/images/windows-11.png
index 32925b625e..09cf036511 100644
Binary files a/windows/configuration/start/images/windows-11.png and b/windows/configuration/start/images/windows-11.png differ
diff --git a/windows/configuration/start/includes/example-secondary-tiles.md b/windows/configuration/start/includes/example-secondary-tiles.md
index 1f1a7197b5..5fa52b07cb 100644
--- a/windows/configuration/start/includes/example-secondary-tiles.md
+++ b/windows/configuration/start/includes/example-secondary-tiles.md
@@ -7,6 +7,8 @@ ms.topic: include
Example of secondary tiles in XML generated by the PowerShell cmdlet `Export-StartLayout`:
+::: zone pivot="windows-10"
+
```xml
```
+
+::: zone-end
+
+::: zone pivot="windows-11"
+
+```json
+{
+ "secondaryTile": {
+ "tileId": "MSEdge._pin_obflpecijelbcglkjpdhljkfbe",
+ "arguments": " --pin-url=https://intranet.contoso.com/ --profile-directory=Default --launch-tile",
+ "displayName": "Contoso Intranet",
+ "packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App",
+ "smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_obflpecijelbcglkjpdhljkfbe/SmallLogo.png",
+ "smallIcon": "Base64 encoded value of the logo",
+ "largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_obflpecijelbcglkjpdhljkfbe/Logo.png",
+ "largeIcon": "Base64 encoded value of the logo",
+ }
+ }
+```
+
+::: zone-end
diff --git a/windows/configuration/start/includes/example-start-layout.md b/windows/configuration/start/includes/example-start-layout.md
index 94957b8fa9..d0ad996459 100644
--- a/windows/configuration/start/includes/example-start-layout.md
+++ b/windows/configuration/start/includes/example-start-layout.md
@@ -39,7 +39,7 @@ ms.topic: include
```json
{
"pinnedList": [
- {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
+ { "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
{ "packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk" },
@@ -49,7 +49,8 @@ ms.topic: include
{ "packagedAppId": "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI" },
- { "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"}
+ { "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"},
+ {"secondaryTile": { "tileId": "MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe", "arguments": " --pin-url=https://www.contoso.com --profile-directory=Default --launch-tile", "displayName": "Contoso intranet", "packagedAppId": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App", "smallIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png", "smallIcon": "iVBORw0KGgoAAAANSUhEUgAAADQAAAA0CAYAAADFeBvrAAAACXBIWXMAAAInAAACJwG+ElQIAAABaWlDQ1BEaXNwbGF5IFAzAAB4nHWQvUvDUBTFT6tS0DqIDh0cMolD1NIKdnFoKxRFMFQFq1OafgltfCQpUnETVyn4H1jBWXCwiFRwcXAQRAcR3Zw6KbhoeN6XVNoi3sfl/Ticc7lcwBtQGSv2AijplpFMxKS11Lrke4OHnlOqZrKooiwK/v276/PR9d5PiFlNu3YQ2U9cl84ul3aeAlN//V3Vn8maGv3f1EGNGRbgkYmVbYsJ3iUeMWgp4qrgvMvHgtMunzuelWSc+JZY0gpqhrhJLKc79HwHl4plrbWD2N6f1VeXxRzqUcxhEyYYilBRgQQF4X/8044/ji1yV2BQLo8CLMpESRETssTz0KFhEjJxCEHqkLhz634PrfvJbW3vFZhtcM4v2tpCAzidoZPV29p4BBgaAG7qTDVUR+qh9uZywPsJMJgChu8os2HmwiF3e38M6Hvh/GMM8B0CdpXzryPO7RqFn4Er/QcXKWq8MSlPPgAABFZJREFUeAHdWu1RajEQ3ev4X61AXgX6KhA68FWgrwLpAK0AO0ArUCsQKxArECsAK8jLuTNh9i3J5uMGBc9MhivmY0/2ZEk2l8jCGDOyZWF2FxNbeuDS2Iex/RzS7mPaNM0AhBb2j0P6Gfi1Txsms1wu6fPzs/1E6fV6dHBwQIeHGxm2t0+V8fLyQrPZjKbTafs5n8+99UDo9PSUzs/Pqd/v08nJCVWBqYDFYmGur6+NNdCgy5KCtnd3d6Yj+lhDhjrg5uaGbm9vWzlJwAuQGDzBAa/Be742qG8nhy4uLqgAg2IPvb6+Gjt4dNaHw6Gx8vP28f7+biaTibGSW2uLvvH/XA8VEbIeyZYUDISkQkbi+8vLy7V2kPJGCWGAkMGYaRiFz9B6Qj3NSBCTHoOXN0JIkrFrxIxGo+CsI1g8PDx4Zx7Enp+fg2OhX14ffVQlJMlg1mBwChwx35rTvIU2mLQM+aURQsfcCMxeCgkYEAscLniEJgfBh9eNhPY4IciJGxUj44jwmU0NGiHpjsfj/2SuRL84Ia7/mI4leWcAFjkkiugIsnj2BQ20DXmKBwolSOiEYGDKDAKQBveKCxjaOvOFahgugd8x3jc8VkSID6ZpV3oGRqUGDADRjrfnHsC4nLDdQWhdhQlJ76i9MDlEBjTaeNwLCEQysiYEozAhbElSvMPraWsgBTKa5kZWoxHis66tHS6Vgr3XGiC3QjKt2V5CmGVtkTpgsabUywHG5tKDAjLQ3yMP3t7eVs9y68/x+Pi4erYBhGoARw5Loj342WCR3a/3xGqls3rWCOFM41DtxGkBMigl8Hro4+Nj9Xx8fBxszAlpxL8SXkL8JKklM1w9nDK3BVFCR0dH3oah5Md3Yy9WwUYd7/cbSkN1hpcQl5AvkQGAkCO1Td7yEuKBgAcICR4IeID4TngJpRrK6yHBWAv39/c0GAzaZGU2Qr/WlLADwC6ZKu8U5M49M/mYtpfTNpy8npb0SEXHVFaYEM+9aR1yL2m5gRTwnbs8wieSChPisss5DyWmm9Ygz0OQmkxldc762P1U0YkV7XKOEvKIzU+s3GsJE6YT4nLCgLH8ACflUr9aG/xPnn8gW4mM/Fw/mvXhA5ZkfVwEhBFYlyjoMzdBz4NFcdYHkAeumI5RX2o/pWhkeICKZJ/ihAAuvdSIg0FD+TefB78sc+rgS56nLnwYi8Xtk6N2syCDRaesjw+SFAyEQdrtA4zi0ZK31X6I5R1UYnosj5CPFDfQ3Q+BQEhqsYzql94PxUhpJUYklORX0r71CAGhEO2TZEhaIAFphUJ4wd6w+y04bqyx3fcd8ty7CDLngENj6B0GtLm6umr7LUD5LTiHu81OudwiJXTDW102t1U8JIGZf3p6Wr1Joh3h8QYJytnZWa002KA6IQn3jg/k5fIQPB9RGT/ubazfyClsR3ajO+ZN08xA6C/+oN3G3JY/eGjcN1Z6WJW7KL0lPOP++AdqljW+tM7PvwAAAABJRU5ErkJggg==", "largeIconPath": "ms-appdata:///local/Pins/MSEdge._pin_mjalfbhoimpkfjlpajnjkpknoe/ContosoLogo.png" }}
]
}
```
diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md
index af0a608300..2bd6d4e1aa 100644
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@@ -431,9 +431,10 @@ You can edit the JSON file to make any modifications to the **Pinned** section o
| Key | Description |
|--|--|
- | `packagedAppID` | Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID. |
- | `desktopAppID` | Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the `desktopAppLink` instead. |
- | `desktopAppLink` | Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
+ |`packagedAppID`| Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID. |
+ |`desktopAppID`| Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the `desktopAppLink` instead. |
+ |`desktopAppLink`| Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
+ |`secondaryTile`| Used for Microsoft Edge pinned sites. |
::: zone-end
diff --git a/windows/configuration/toc.yml b/windows/configuration/toc.yml
index ccf2a0a0fb..7d7497ddca 100644
--- a/windows/configuration/toc.yml
+++ b/windows/configuration/toc.yml
@@ -17,11 +17,24 @@ items:
href: store/toc.yml
- name: Cellular settings
href: cellular/provisioning-apn.md
-- name: Kiosks and restricted user experiences
- href: assigned-access/toc.yml
+- name: Windows kiosk options
+ href: kiosk/toc.yml
- name: Multi-user and guest devices
href: shared-pc/toc.yml
- name: Provisioning packages
href: provisioning-packages/toc.yml
- name: Windows Configuration Designer
href: wcd/toc.yml
+- name: Unbranded boot
+ href: unbranded-boot/index.md
+- name: Unified write filter
+ href: unified-write-filter/toc.yml
+- name: Keyboard Filter
+ href: keyboard-filter/toc.yml
+- name: Custom Logon
+ items:
+ - name: Configure Custom Logon
+ href: custom-logon/index.md
+ - name: Troubleshoot
+ href: custom-logon/troubleshoot.md
+
diff --git a/windows/configuration/unified-write-filter/toc.yml b/windows/configuration/unified-write-filter/toc.yml
index d8105e71ec..b4d1417d81 100644
--- a/windows/configuration/unified-write-filter/toc.yml
+++ b/windows/configuration/unified-write-filter/toc.yml
@@ -1,126 +1,123 @@
-
items:
-- name: Unified Write Filter
+- name: Overview
+ href: index.md
+- name: Hibernate Once/Resume Many (HORM)
+ href: hibernate-once-resume-many-horm.md
+- name: Exclusions
+ href: uwfexclusions.md
+- name: Overlay
+ href: uwfoverlay.md
+- name: Enable
+ href: uwf-turnonuwf.md
+- name: Command Line Utility (uwfmgr.exe)
+ href: uwfmgrexe.md
+- name: Servicing
+ items:
+ - name: Servicing protected devices
+ href: service-uwf-protected-devices.md
+ - name: Antimalware support
+ href: uwf-antimalware-support.md
+ - name: Windows Updates
+ href: uwf-apply-windows-updates.md
+ - name: OEM Updates
+ href: uwf-apply-oem-updates.md
+ - name: Servicing master script
+ href: uwf-master-servicing-script.md
+ - name: Servicing screen saver
+ href: uwf-servicing-screen-saver.md
+- name: Troubleshooting
+ href: uwftroubleshooting.md
+- name: WMI Provider Reference
items:
- name: Overview
- href: index.md
- - name: Hibernate Once/Resume Many (HORM)
- href: hibernate-once-resume-many-horm.md
- - name: Exclusions
- href: uwfexclusions.md
- - name: Overlay
- href: uwfoverlay.md
- - name: Enable
- href: uwf-turnonuwf.md
- - name: Command Line Utility (uwfmgr.exe)
- href: uwfmgrexe.md
- - name: Servicing
- items:
- - name: Servicing protected devices
- href: service-uwf-protected-devices.md
- - name: Antimalware support
- href: uwf-antimalware-support.md
- - name: Windows Updates
- href: uwf-apply-windows-updates.md
- - name: OEM Updates
- href: uwf-apply-oem-updates.md
- - name: Servicing master script
- href: uwf-master-servicing-script.md
- - name: Servicing screen saver
- href: uwf-servicing-screen-saver.md
- - name: Troubleshooting
- href: uwftroubleshooting.md
- - name: WMI Provider Reference
+ href: uwf-wmi-provider-reference.md
+ - name: Class UWF_ExcludedFile
+ href: uwf-excludedfile.md
+ - name: Class UWF_ExcludedRegistryKey
+ href: uwf-excludedregistrykey.md
+ - name: Class UWF_Filter
items:
- name: Overview
- href: uwf-wmi-provider-reference.md
- - name: Class UWF_ExcludedFile
- href: uwf-excludedfile.md
- - name: Class UWF_ExcludedRegistryKey
- href: uwf-excludedregistrykey.md
- - name: Class UWF_Filter
- items:
- - name: Overview
- href: uwf-filter.md
- - name: Disable
- href: uwf-filterdisable.md
- - name: Enable
- href: uwf-filterdisable.md
- - name: ResetSettings
- href: uwf-filterresetsettings.md
- - name: RestartSystem
- href: uwf-filterrestartsystem.md
- - name: ShutdownSystem
- href: uwf-filtershutdownsystem.md
- - name: Class UWF_Overlay
- items:
- - name: Overview
- href: uwf-overlay.md
- - name: GetOverlayFiles
- href: uwf-overlaygetoverlayfiles.md
- - name: OverlayFile
- href: uwf-overlayfile.md
- - name: SetCriticalThreshold
- href: uwf-overlaysetcriticalthreshold.md
- - name: SetWarningThreshold
- href: uwf-overlaysetwarningthreshold.md
- - name: Class UWF_OverlayConfig
- items:
- - name: Overview
- href: uwf-overlayconfig.md
- - name: SetMaximumSize
- href: uwf-overlayconfigsetmaximumsize.md
- - name: SetType
- href: uwf-overlayconfigsettype.md
- - name: Class UWF_RegistryFilter
- items:
- - name: Overview
- href: uwf-registryfilter.md
- - name: AddExclusion
- href: uwf-registryfilteraddexclusion.md
- - name: CommitRegistry
- href: uwf-registryfiltercommitregistry.md
- - name: CommitRegistryDeletion
- href: uwf-registryfiltercommitregistrydeletion.md
- - name: FindExclusion
- href: uwf-registryfilterfindexclusion.md
- - name: GetExclusions
- href: uwf-registryfiltergetexclusions.md
- - name: RemoveExclusion
- href: uwf-registryfilterremoveexclusion.md
- - name: Class UWF_Servicing
- items:
- - name: Overview
- href: uwf-servicing.md
- - name: Disable
- href: uwf-servicingdisable.md
- - name: Enable
- href: uwf-servicingenable.md
- - name: UpdateWindows
- href: uwf-servicingupdatewindows.md
- - name: Class UWF_Volume
- items:
- - name: Overview
- href: uwf-volume.md
- - name: AddExclusion
- href: uwf-volumeaddexclusion.md
- - name: CommitFile
- href: uwf-volumecommitfile.md
- - name: CommitFileDeletion
- href: uwf-volumecommitfiledeletion.md
- - name: FindExclusion
- href: uwf-volumefindexclusion.md
- - name: GetExclusions
- href: uwf-volumegetexclusions.md
- - name: protect
- href: uwf-volumeprotect.md
- - name: RemoveAllExclusions
- href: uwf-volumeremoveallexclusions.md
- - name: RemoveExclusion
- href: uwf-volumeremoveexclusion.md
- - name: SetBindByDriveLetter
- href: uwf-volumesetbindbydriveletter.md
- - name: Unprotect
- href: uwf-volumeunprotect.md
- - name: Migration from Enhanced Write Filter
- href: uwf-wes7-ewf-to-win10-uwf.md
\ No newline at end of file
+ href: uwf-filter.md
+ - name: Disable
+ href: uwf-filterdisable.md
+ - name: Enable
+ href: uwf-filterdisable.md
+ - name: ResetSettings
+ href: uwf-filterresetsettings.md
+ - name: RestartSystem
+ href: uwf-filterrestartsystem.md
+ - name: ShutdownSystem
+ href: uwf-filtershutdownsystem.md
+ - name: Class UWF_Overlay
+ items:
+ - name: Overview
+ href: uwf-overlay.md
+ - name: GetOverlayFiles
+ href: uwf-overlaygetoverlayfiles.md
+ - name: OverlayFile
+ href: uwf-overlayfile.md
+ - name: SetCriticalThreshold
+ href: uwf-overlaysetcriticalthreshold.md
+ - name: SetWarningThreshold
+ href: uwf-overlaysetwarningthreshold.md
+ - name: Class UWF_OverlayConfig
+ items:
+ - name: Overview
+ href: uwf-overlayconfig.md
+ - name: SetMaximumSize
+ href: uwf-overlayconfigsetmaximumsize.md
+ - name: SetType
+ href: uwf-overlayconfigsettype.md
+ - name: Class UWF_RegistryFilter
+ items:
+ - name: Overview
+ href: uwf-registryfilter.md
+ - name: AddExclusion
+ href: uwf-registryfilteraddexclusion.md
+ - name: CommitRegistry
+ href: uwf-registryfiltercommitregistry.md
+ - name: CommitRegistryDeletion
+ href: uwf-registryfiltercommitregistrydeletion.md
+ - name: FindExclusion
+ href: uwf-registryfilterfindexclusion.md
+ - name: GetExclusions
+ href: uwf-registryfiltergetexclusions.md
+ - name: RemoveExclusion
+ href: uwf-registryfilterremoveexclusion.md
+ - name: Class UWF_Servicing
+ items:
+ - name: Overview
+ href: uwf-servicing.md
+ - name: Disable
+ href: uwf-servicingdisable.md
+ - name: Enable
+ href: uwf-servicingenable.md
+ - name: UpdateWindows
+ href: uwf-servicingupdatewindows.md
+ - name: Class UWF_Volume
+ items:
+ - name: Overview
+ href: uwf-volume.md
+ - name: AddExclusion
+ href: uwf-volumeaddexclusion.md
+ - name: CommitFile
+ href: uwf-volumecommitfile.md
+ - name: CommitFileDeletion
+ href: uwf-volumecommitfiledeletion.md
+ - name: FindExclusion
+ href: uwf-volumefindexclusion.md
+ - name: GetExclusions
+ href: uwf-volumegetexclusions.md
+ - name: protect
+ href: uwf-volumeprotect.md
+ - name: RemoveAllExclusions
+ href: uwf-volumeremoveallexclusions.md
+ - name: RemoveExclusion
+ href: uwf-volumeremoveexclusion.md
+ - name: SetBindByDriveLetter
+ href: uwf-volumesetbindbydriveletter.md
+ - name: Unprotect
+ href: uwf-volumeunprotect.md
+ - name: Migration from Enhanced Write Filter
+ href: uwf-wes7-ewf-to-win10-uwf.md
\ No newline at end of file
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 7b2cccd5ae..65fbde4219 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -7,6 +7,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- tier1
+ - essentials-security
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
@@ -173,4 +174,4 @@ landingContent:
- text: Universal Print
url: /universal-print
- text: Remote wipe
- url: /windows/client-management/mdm/remotewipe-csp
\ No newline at end of file
+ url: /windows/client-management/mdm/remotewipe-csp
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
index ae3cb0475f..9548dd1826 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -9,7 +9,7 @@ ms.topic: how-to
The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
-- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Microsoft Account](https://support.microsoft.com/account-billing/ace6f3b3-e2d3-aeb1-6b96-d2e9e7e52133)
- [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)