deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Delete unused images and update documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-01-25 09:10:46 -05:00
parent db92659dfa
commit 803a89be76
90 changed files with 1368 additions and 1646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -1,6 +1,5 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer: sybruckm
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
ms.topic: article
ms.date: 12/31/2017

8
windows/configuration/kiosk/guidelines-for-assigned-access-app.md
View File

@ -2,19 +2,11 @@
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
ms.topic: article
ms.reviewer: sybruckm
ms.date: 12/31/2017
---
# Guidelines for choosing an app for assigned access (kiosk mode)
**Applies to**
- Windows 10
- Windows 11
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience.

14
windows/configuration/kiosk/kiosk-additional-reference.md
View File

@ -1,22 +1,14 @@
---
title: More kiosk methods and reference information (Windows 10/11)
description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
ms.reviewer: sybruckm
ms.topic: reference
ms.date: 12/31/2017
---
# More kiosk methods and reference information
# More kiosk methods and reference information
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
## In this section
## In this section
Topic | Description
--- | ---
@ -28,4 +20,4 @@ Topic | Description
[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps.
[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration.
[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration.

12
windows/configuration/kiosk/kiosk-mdm-bridge.md
View File

@ -1,19 +1,13 @@
---
title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11)
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
ms.reviewer: sybruckm
appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
ms.topic: article
ms.date: 12/31/2017
---
# Use MDM Bridge WMI Provider to create a Windows client kiosk
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
# Use MDM Bridge WMI Provider to create a Windows client kiosk
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).

25
windows/configuration/kiosk/kiosk-methods.md
View File

@ -1,6 +1,5 @@
---
title: Configure kiosks and digital signs on Windows 10/11 desktop editions
ms.reviewer: sybruckm
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.topic: article
@ -12,11 +11,6 @@ ms.date: 12/31/2017
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
**Applies to**
- Windows 10
- Windows 11
Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
@ -70,12 +64,10 @@ There are several kiosk configuration methods that you can choose from, dependin
## Methods for a single-app kiosk running a UWP app
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
@ -84,10 +76,8 @@ You can use this method | For this edition | For this kiosk account type
## Methods for a single-app kiosk running a Windows desktop application
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
@ -96,7 +86,6 @@ You can use this method | For this edition | For this kiosk account type
## Methods for a multi-app kiosk
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
@ -106,14 +95,14 @@ You can use this method | For this edition | For this kiosk account type
Method | App type | Account type | Single-app kiosk | Multi-app kiosk
--- | --- | --- | :---: | :---:
[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️ |
[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | ✔️
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ |
[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | |
[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | |
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | |
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | |
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✔️
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | |
>[!NOTE]

102
windows/configuration/kiosk/kiosk-policies.md
View File

@ -1,75 +1,61 @@
---
title: Policies enforced on kiosk devices (Windows 10/11)
description: Learn about the policies enforced on a device when you configure it as a kiosk.
ms.reviewer: sybruckm
ms.topic: article
ms.date: 12/31/2017
---
# Policies enforced on kiosk devices
# Policies enforced on kiosk devices
It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience.
**Applies to**
When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
- Windows 10 Pro, Enterprise, and Education
- Windows 11
## Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users.
It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience.
When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
## Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users.
| Setting | Value |
| --- | --- |
Remove access to the context menus for the task bar | Enabled
Clear history of recently opened documents on exit | Enabled
Prevent users from customizing their Start Screen | Enabled
Prevent users from uninstalling applications from Start | Enabled
Remove Run menu from Start Menu | Enabled
Disable showing balloon notifications as toast | Enabled
Do not allow pinning items in Jump Lists | Enabled
Do not allow pinning programs to the Taskbar | Enabled
Do not display or track items in Jump Lists from remote locations | Enabled
Remove Notifications and Action Center | Enabled
Lock all taskbar settings | Enabled
Lock the Taskbar | Enabled
Prevent users from adding or removing toolbars | Enabled
Prevent users from resizing the taskbar | Enabled
Remove frequent programs list from the Start Menu | Enabled
Remove Pinned programs from the taskbar | Enabled
Remove the Security and Maintenance icon | Enabled
Turn off all balloon notifications | Enabled
Turn off feature advertisement balloon notifications | Enabled
Turn off toast notifications | Enabled
Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled - Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drives
| Setting | Value |
|--|--|
| Remove access to the context menus for the task bar | Enabled |
| Clear history of recently opened documents on exit | Enabled |
| Prevent users from customizing their Start Screen | Enabled |
| Prevent users from uninstalling applications from Start | Enabled |
| Remove Run menu from Start Menu | Enabled |
| Disable showing balloon notifications as toast | Enabled |
| Do not allow pinning items in Jump Lists | Enabled |
| Do not allow pinning programs to the Taskbar | Enabled |
| Do not display or track items in Jump Lists from remote locations | Enabled |
| Remove Notifications and Action Center | Enabled |
| Lock all taskbar settings | Enabled |
| Lock the Taskbar | Enabled |
| Prevent users from adding or removing toolbars | Enabled |
| Prevent users from resizing the taskbar | Enabled |
| Remove frequent programs list from the Start Menu | Enabled |
| Remove Pinned programs from the taskbar | Enabled |
| Remove the Security and Maintenance icon | Enabled |
| Turn off all balloon notifications | Enabled |
| Turn off feature advertisement balloon notifications | Enabled |
| Turn off toast notifications | Enabled |
| Remove Task Manager | Enabled |
| Remove Change Password option in Security Options UI | Enabled |
| Remove Sign Out option in Security Options UI | Enabled |
| Remove All Programs list from the Start Menu | Enabled - Remove and disable setting |
| Prevent access to drives from My Computer | Enabled - Restrict all drives |
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
## MDM policy
## MDM policy
Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact).
Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact).
Setting | Value | System-wide
--- | --- | ---
[Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
[Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
Start/HidePeopleBar | 1 - True (hide) | No
[Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
[WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
[Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes
| Setting | Value | System-wide |
|--|--|--|
| [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes |
| [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
| Start/HidePeopleBar | 1 - True (hide) | No |
| [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes |
| [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
| [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
| [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes |

266
windows/configuration/kiosk/kiosk-prepare.md
View File

@ -1,282 +1,270 @@
---
title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs
description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.reviewer: sybruckm
ms.topic: article
ms.date: 12/31/2017
---
---
# Prepare a device for kiosk configuration
# Prepare a device for kiosk configuration
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
## Before you begin
## Before you begin
- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk.
- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
- [Endpoint Management at Microsoft](/mem/endpoint-manager-getting-started)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Configuration recommendations
## Configuration recommendations
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
- **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use the registry**:
- **Use the registry**:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
- `1`: Hides all notifications except restart warnings.
- `2`: Hides all notifications, including restart warnings.
- `2`: Hides all notifications, including restart warnings.
- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
- **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
- **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
Your options:
Your options:
- Use the **Settings** app:
1. Open the **Settings** app.
2. Go to **System** > **Tablet mode**.
3. Configure the settings you want.
3. Configure the settings you want.
- Use the **Action Center**:
1. On your device, swipe in from the left.
2. Select **Tablet mode**.
2. Select **Tablet mode**.
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
- **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
- **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
- **Disable the hardware power button**: To enable this feature, you have the following options:
- **Disable the hardware power button**: To enable this feature, you have the following options:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
3. Select **Do nothing**.
4. **Save changes**.
4. **Save changes**.
- **Use Group Policy**: Your options:
- **Use Group Policy**: Your options:
- `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
- `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
- `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
- **Use an MDM provider**: In Intune, you have some options:
- **Use an MDM provider**: In Intune, you have some options:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `Power\Select Power Button Action on Battery`: Set to **Take no action**.
- `Power\Select Power Button Action on Plugged In`: Set to **Take no action**.
- `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
- `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
- `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
- `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
When looking at settings, check the supported OS for each setting to make sure it applies.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
- [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
- **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
- **Use MDM**: In Intune, you have the following option:
- **Use MDM**: In Intune, you have the following option:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
- `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
- **Disable the camera**: To enable this feature, you have the following options:
- **Disable the camera**: To enable this feature, you have the following options:
- **Use the Settings app**:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **Privacy** > **Camera**.
3. Select **Allow apps use my camera** > **Off**.
3. Select **Allow apps use my camera** > **Off**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
- **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
- `Camera\Allow camera`: Set to **Not allowed**.
- `Camera\Allow camera`: Set to **Not allowed**.
- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
- **Use the Settings app**:
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Notifications & actions**.
3. In **Show notifications on the lock screen**, select **Off**.
3. In **Show notifications on the lock screen**, select **Off**.
- **Use Group policy**:
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
- **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
- [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
- **Disable removable media**: To enable this feature, you have the following options:
- **Disable removable media**: To enable this feature, you have the following options:
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
- **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
- **Use an MDM provider**: In Intune, you have the following options:
- **Use an MDM provider**: In Intune, you have the following options:
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
- [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
- `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
When looking at settings, check the supported OS for each setting to make sure it applies.
When looking at settings, check the supported OS for each setting to make sure it applies.
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
- `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
## Enable logging
## Enable logging
Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
## Automatic logon
## Automatic logon
You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
**How to edit the registry to have an account sign in automatically**
**How to edit the registry to have an account sign in automatically**
1. Open Registry Editor (regedit.exe).
1. Open Registry Editor (regedit.exe).
> [!NOTE]
> If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users).
2. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
2. Go to
- *AutoAdminLogon*: set value as **1**.
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon**
- *DefaultUserName*: set value as the account that you want signed in.
3. Set the values for the following keys.
- *DefaultPassword*: set value as the password for the account.
- *AutoAdminLogon*: set value as **1**.
- *DefaultUserName*: set value as the account that you want signed in.
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
> [!TIP]
> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).
> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).
> [!NOTE]
> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
## Interactions and interoperability
## Interactions and interoperability
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
| Key combination | Blocked behavior |
| --- | --- |
| --- | --- |
| Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
| Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
| Windows logo key + U | Open Ease of Access Center. |
| Windows logo key + U | Open Ease of Access Center. |
- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
| Key combination | Blocked behavior for assigned access users |
| --- | --- |
| --- | --- |
| Alt + Esc | Cycle through items in the reverse order from which they were opened. |
| Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. |
| Ctrl + Esc | Open the Start screen. |
@ -286,40 +274,40 @@ The following table describes some features that have interoperability issues we
| LaunchApp1 | Open the app that is assigned to this key. |
| LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
| LaunchMail | Open the default mail client. |
| Windows logo key | Open the Start screen. |
| Windows logo key | Open the Start screen. |
Keyboard Filter settings apply to other standard accounts.
Keyboard Filter settings apply to other standard accounts.
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
## Testing your kiosk in a virtual machine (VM)
## Testing your kiosk in a virtual machine (VM)
Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly.
Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly.
A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::

250
windows/configuration/kiosk/kiosk-shelllauncher.md
View File

@ -1,105 +1,99 @@
---
title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
ms.reviewer: sybruckm
ms.topic: article
ms.date: 12/31/2017
---
---
# Use Shell Launcher to create a Windows client kiosk
# Use Shell Launcher to create a Windows client kiosk
**Applies to**
- Windows 10 Ent, Edu
- Windows 11
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
>
>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app.
Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and can run other apps in full screen on users demand.
- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2).
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2).
## Requirements
## Requirements
>[!WARNING]
>- Windows 10 doesnt support setting a custom shell prior to OOBE. If you do, you wont be able to deploy the resulting image.
>- Windows 10 doesn't support setting a custom shell prior to OOBE. If you do, you won't be able to deploy the resulting image.
>
>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
- A domain, Microsoft Entra ID, or local user account.
- A domain, Microsoft Entra ID, or local user account.
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher)
[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher)
## Enable Shell Launcher feature
## Enable Shell Launcher feature
To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM.
To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM.
**To turn on Shell Launcher in Windows features**
**To turn on Shell Launcher in Windows features**
1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
2. Expand **Device Lockdown**.
2. Expand **Device Lockdown**.
2. Select **Shell Launcher** and **OK**.
2. Select **Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
2. Enter the following command.
2. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
```
## Configure a custom shell in MDM
## Configure a custom shell in MDM
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
### XML for Shell Launcher configuration
### XML for Shell Launcher configuration
The following XML sample works for **Shell Launcher v1**:
The following XML sample works for **Shell Launcher v1**:
```xml
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<Profiles>
<Profiles>
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}">
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}">
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com" />
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com" />
</Profile>
</Profile>
</Profiles>
</Profiles>
<Configs>
<!--local account-->
@ -107,58 +101,58 @@ The following XML sample works for **Shell Launcher v1**:
<Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}"/>
</Configs>
</ShellLauncherConfiguration>
```
```
For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app.
For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app.
```xml
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
<Profiles>
<Profiles>
<DefaultProfile>
<DefaultProfile>
<Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true">
<DefaultAction Action="RestartShell"/>
<DefaultAction Action="RestartShell"/>
</Shell>
</Shell>
</DefaultProfile>
</DefaultProfile>
</Profiles>
</Profiles>
<Configs/>
<Configs/>
</ShellLauncherConfiguration>
```
```
>[!TIP]
>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode.
>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode.
[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
### Custom OMA-URI setting
### Custom OMA-URI setting
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`.
![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png)
![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png)
After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
## Configure a custom shell using PowerShell
## Configure a custom shell using PowerShell
For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md).
For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md).
For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```powershell
# Check if shell launcher license is enabled
@ -166,39 +160,39 @@ function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
}
"@
"@
$type = Add-Type -TypeDefinition $source -PassThru
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
}
[bool]$result = $false
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
@ -206,107 +200,107 @@ if (-not($result))
{
"`nThis device doesn't have required license to use Shell Launcher"
exit
}
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
}
$Cashier_SID = Get-UsernameSID("Cashier")
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
# Define actions to take when the shell program exits.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## default action, custom action, exit code
Shell launcher defines 4 actions to handle app exits, you can customize shell launcher and use these actions based on different exit code.
Shell launcher defines 4 actions to handle app exits, you can customize shell launcher and use these actions based on different exit code.
Value|Description
--- | ---
0|Restart the shell
1|Restart the device
2|Shut down the device
3|Do nothing
3|Do nothing
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
@ -316,6 +310,6 @@ To configure these action with Shell Launcher CSP, use below syntax in the shell
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
<ReturnCodeAction ReturnCode="1" Action="DoNothing"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
<DefaultAction Action="RestartDevice"/>
```

9
windows/configuration/kiosk/kiosk-single-app.md
View File

@ -1,7 +1,6 @@
---
title: Set up a single-app kiosk on Windows
description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
ms.reviewer: sybruckm
ms.topic: article
ms.collection:
- tier1
@ -9,13 +8,7 @@ ms.date: 07/12/2023
---
<!--8107263-->
# Set up a single-app kiosk on Windows 10/11
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
# Set up a single-app kiosk
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.

92
windows/configuration/kiosk/kiosk-validate.md
View File

@ -1,93 +1,85 @@
---
title: Validate kiosk configuration (Windows 10/11)
description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education.
ms.reviewer: sybruckm
ms.topic: article
ms.date: 12/31/2017
---
---
# Validate kiosk configuration
# Validate kiosk configuration
To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
**Applies to**
Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
- Windows 10 Pro, Enterprise, and Education
- Windows 11
To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
>[!NOTE]
>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
The following sections explain what to expect on a multi-app kiosk.
The following sections explain what to expect on a multi-app kiosk.
### App launching and switching experience
### App launching and switching experience
In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
### Start changes
### Start changes
When the assigned access user signs in, you should see a restricted Start experience:
- Start gets launched in full screen and prevents the end user from accessing the desktop.
- Start gets launched in full screen and prevents the end user from accessing the desktop.
- Start shows the layout aligned with what you defined in the multi-app configuration XML.
- Start shows the layout aligned with what you defined in the multi-app configuration XML.
- Start prevents the end user from changing the tile layout.
- The user cannot resize, reposition, and unpin the tiles.
- The user cannot pin additional tiles on the start.
- Start hides **All Apps** list.
- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](/windows/client-management/mdm/policy-csp-start).)
- Start hides **Change account settings** option under **User** button.
- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](/windows/client-management/mdm/policy-csp-start).)
- Start hides **Change account settings** option under **User** button.
### Taskbar changes
### Taskbar changes
If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
- Disables context menu of Start button (Quick Link)
- Disables context menu of taskbar
- Prevents the end user from changing the taskbar
- Disables Cortana and Search Windows
- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
### Blocked hotkeys
### Blocked hotkeys
The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
| Hotkey | Action |
| --- | --- |
| Windows logo key + A | Open Action center |
| Windows logo key + Shift + C | Open Cortana in listening mode |
| Windows logo key + D | Display and hide the desktop |
| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
| Windows logo key + E | Open File Explorer |
| Windows logo key + F | Open Feedback Hub |
| Windows logo key + G | Open Game bar when a game is open |
| Windows logo key + I | Open Settings |
| Windows logo key + J | Set focus to a Windows tip when one is available. |
| Windows logo key + O | Lock device orientation |
| Windows logo key + Q | Open search |
| Windows logo key + R | Open the Run dialog box |
| Windows logo key + S | Open search |
| Windows logo key + X | Open the Quick Link menu |
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
| Windows logo key + A | Open Action center |
| Windows logo key + Shift + C | Open Cortana in listening mode |
| Windows logo key + D | Display and hide the desktop |
| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
| Windows logo key + E | Open File Explorer |
| Windows logo key + F | Open Feedback Hub |
| Windows logo key + G | Open Game bar when a game is open |
| Windows logo key + I | Open Settings |
| Windows logo key + J | Set focus to a Windows tip when one is available. |
| Windows logo key + O | Lock device orientation |
| Windows logo key + Q | Open search |
| Windows logo key + R | Open the Run dialog box |
| Windows logo key + S | Open search |
| Windows logo key + X | Open the Quick Link menu |
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
### Locked-down Ctrl+Alt+Del screen
### Auto-trigger touch keyboard
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You dont need to configure any other setting to enforce this behavior.
### Auto-trigger touch keyboard
In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don't need to configure any other setting to enforce this behavior.

157
windows/configuration/kiosk/kiosk-xml.md
View File

@ -1,28 +1,21 @@
---
title: Assigned Access configuration kiosk XML reference (Windows 10/11)
description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
ms.reviewer: sybruckm
ms.topic: article
ms.date: 12/31/2017
---
---
# Assigned Access configuration (kiosk) XML reference
# Assigned Access configuration (kiosk) XML reference
**Applies to**
- Windows 10
- Windows 11
## Full XML sample
## Full XML sample
>[!NOTE]
>Updated for Windows 10, version 1903, 1909, and 2004.
>Updated for Windows 10, version 1903, 1909, and 2004.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
@ -56,7 +49,7 @@ ms.date: 12/31/2017
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
@ -137,7 +130,7 @@ ms.date: 12/31/2017
</Configs>
</AssignedAccessConfiguration>
```
## Kiosk only sample XML
## Kiosk only sample XML
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -157,11 +150,11 @@ ms.date: 12/31/2017
</Config>
</Configs>
</AssignedAccessConfiguration>
```
```
## Auto Launch Sample XML
## Auto Launch Sample XML
This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly.
This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -190,7 +183,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
@ -245,9 +238,9 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
</AssignedAccessConfiguration>
```
```
## Microsoft Edge Kiosk XML Sample
```xml
@ -257,7 +250,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com" />
<v4:BreakoutSequence Key="Ctrl+A"/>
@ -270,18 +263,18 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
</Config>
</Configs>
</AssignedAccessConfiguration>
```
```
## Global Profile Sample XML
## Global Profile Sample XML
Global Profile is supported on:
Global Profile is supported on:
- Windows 11
- Windows 10, version 2004 and later
- Windows 10, version 2004 and later
Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -311,7 +304,7 @@ This sample demonstrates that only a global profile is used, with no active user
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
@ -333,7 +326,7 @@ This sample demonstrates that only a global profile is used, with no active user
<v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Configs>
</AssignedAccessConfiguration>
```
```
Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile.
```xml
@ -364,7 +357,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
@ -416,14 +409,14 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
</AssignedAccessConfiguration>
```
```
## Folder Access sample xml
Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+.
Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -655,17 +648,17 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C28}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
</AssignedAccessConfiguration>
```
```
## XSD for AssignedAccess configuration XML
## XSD for AssignedAccess configuration XML
> [!NOTE]
> Updated for Windows 10, version 1903 and later.
> Updated for Windows 10, version 1903 and later.
The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
```xml
<xs:schema
@ -677,27 +670,27 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
@ -723,7 +716,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
@ -738,7 +731,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
@ -749,40 +742,40 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
<xs:attributeGroup ref="autoLaunch_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
</xs:attributeGroup>
</xs:attributeGroup>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element ref="v3:GlobalProfile" minOccurs="0" maxOccurs="1"/>
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
@ -794,21 +787,21 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
</xs:choice>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
<xs:attribute ref="rs5:DisplayName" use="optional" />
</xs:complexType>
</xs:complexType>
<xs:complexType name="group_t">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="groupType_t" use="required"/>
</xs:complexType>
</xs:complexType>
<xs:complexType name="specialGroup_t">
<xs:attribute name="Name" type="specialGroupType_t" use="required"/>
</xs:complexType>
</xs:complexType>
<xs:simpleType name="groupType_t">
<xs:restriction base="xs:string">
@ -816,30 +809,30 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
<xs:enumeration value="ActiveDirectoryGroup"/>
<xs:enumeration value="AzureActiveDirectoryGroup"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:sequence minOccurs="1">
<xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/>
</xs:sequence>
</xs:complexType>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/>
</xs:complexType>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
@ -861,9 +854,9 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
</xs:complexType>
</xs:element>
</xs:schema>
```
```
The following XML is the schema for new features introduced in Windows 10 1809 release:
The following XML is the schema for new features introduced in Windows 10 1809 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -874,9 +867,9 @@ The following XML is the schema for new features introduced in Windows 10 1809 r
xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:choice>
@ -886,30 +879,30 @@ The following XML is the schema for new features introduced in Windows 10 1809 r
</xs:sequence>
<xs:element ref="v3:NoRestriction" minOccurs="0" maxOccurs="1" />
</xs:choice>
</xs:complexType>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t" use="required"/>
</xs:complexType>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" />
<xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" />
<xs:attribute name="AutoLaunch" type="xs:boolean"/>
<xs:attribute name="AutoLaunch" type="xs:boolean"/>
<xs:attribute name="AutoLaunchArguments" type="xs:string"/>
<xs:attribute name="AutoLaunchArguments" type="xs:string"/>
<xs:attribute name="DisplayName" type="xs:string"/>
<xs:attribute name="DisplayName" type="xs:string"/>
</xs:schema>
```
```
The following XML is the schema for Windows 10 version 1909+:
The following XML is the schema for Windows 10 version 1909+:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -921,29 +914,29 @@ The following XML is the schema for Windows 10 version 1909+:
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2020/config"
>
>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
</xs:simpleType>
<xs:complexType name="globalProfile_t">
<xs:attribute name="Id" type="guid_t" />
</xs:complexType>
<xs:element name="AllowRemovableDrives"/>
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />
<xs:element name="GlobalProfile" type="globalProfile_t" />
</xs:schema>
```
```
To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias.
To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias.
For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration

8
windows/configuration/kiosk/lock-down-windows-10-applocker.md
View File

@ -1,8 +1,8 @@
---
title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps
description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.reviewer: sybruckm
appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/30/2018
ms.topic: article
---
@ -10,10 +10,6 @@ ms.topic: article
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]

6
windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md
View File

@ -1,14 +1,8 @@
---
title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.reviewer: sybruckm
ms.topic: how-to
ms.date: 11/08/2023
appliesto:
-<b>Windows 10 Pro</b>
-<b>Windows 10 Enterprise</b>
-<b>Windows 10 Education</b>
---
# Set up a multi-app kiosk on Windows 10 devices

251
windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
View File

@ -2,65 +2,60 @@
title: Set up a multi-app kiosk on Windows 11
description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps.
ms.date: 05/12/2023
ms.reviewer: sybruckm
ms.topic: how-to
---
# Set up a multi-app kiosk on Windows 11 devices
**Applies to**
- Windows 11 Pro, Enterprise, IoT Enterprise and Education
# Set up a multi-app kiosk on Windows 11 devices
> [!NOTE]
> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk.
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk.
> [!WARNING]
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
## Configure a Multi-App Kiosk
## Configure a Multi-App Kiosk
See the table below for the different methods to configure a multi-app kiosk in Windows 11.
See the table below for the different methods to configure a multi-app kiosk in Windows 11.
|Configuration Method|Availability|
|--------------------|------------|
|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023|
|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023|
<!--
<!--
Commenting out the coming soon items
|Intune|Coming soon|
|Provisioning Package Using Windows Configuration Designer| Coming soon|
-->
-->
> [!NOTE]
> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below.
> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below.
## Create the XML file
## Create the XML file
Let's start by looking at the basic structure of the XML file.
Let's start by looking at the basic structure of the XML file.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- Multiple config sections can be associated to the same profile.
- Multiple config sections can be associated to the same profile.
- A profile has no effect if it's not associated to a config section.
- A profile has no effect if it's not associated to a config section.
You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article.
You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article.
> [!NOTE]
> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running.
> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
@ -80,66 +75,66 @@ You can start your file by pasting the following XML into an XML editor, and sav
</Configs>
</AssignedAccessConfiguration>
```
#### Profile
#### Profile
There are two types of profiles that you can specify in the XML:
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
A lockdown profile section in the XML has the following entries:
- [**Id**](#id)
- [**Id**](#id)
- [**AllowedApps**](#allowedapps)
- [**AllowedApps**](#allowedapps)
- [**StartPins**](#startpins)
- [**StartPins**](#startpins)
- [**Taskbar**](#taskbar)
- [**Taskbar**](#taskbar)
A kiosk profile in the XML has the following entries:
A kiosk profile in the XML has the following entries:
- [**Id**](#id)
- [**Id**](#id)
- [**KioskModeApp**](#kioskmodeapp)
- [**KioskModeApp**](#kioskmodeapp)
##### Id
##### Id
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
```
##### AllowedApps
##### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#create-the-xml-file).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`.
- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`.
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
> Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
> Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
<span id="apps-sample" />
<span id="apps-sample" />
```xml
<AllAppsList>
@ -151,17 +146,17 @@ The following example allows Photos, Weather, Calculator, Paint, and Notepad app
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">
</AllowedApps>
</AllAppsList>
```
```
##### StartPins
##### StartPins
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below.
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below.
Add your pinnedList JSON into the StartPins tag in your XML file.
Add your pinnedList JSON into the StartPins tag in your XML file.
```xml
<win11:StartPins>
<![CDATA[
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
@ -172,61 +167,61 @@ Add your pinnedList JSON into the StartPins tag in your XML file.
] }
]]>
</win11:StartPins>
```
```
> [!NOTE]
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
##### Taskbar
##### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
The following example exposes the taskbar to the end user:
```xml
<Taskbar ShowTaskbar="true"/>
```
```
The following example hides the taskbar:
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
```
> [!NOTE]
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
##### KioskModeApp
##### KioskModeApp
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
```xml
<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
```
```
> [!IMPORTANT]
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
#### Configs
#### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
You can assign:
You can assign:
- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
> [!NOTE]
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
##### Config for AutoLogon Account
When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
The following example shows how to specify an account to sign in automatically.
The following example shows how to specify an account to sign in automatically.
```xml
<Configs>
@ -235,9 +230,9 @@ The following example shows how to specify an account to sign in automatically.
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
<Configs>
@ -246,28 +241,28 @@ Starting with Windows 10 version 1809, you can configure the display name that w
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
##### Config for individual accounts
##### Config for individual accounts
Individual accounts are specified using `<Account>`.
Individual accounts are specified using `<Account>`.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
> [!WARNING]
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
> [!NOTE]
> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
@ -276,132 +271,132 @@ Before applying the multi-app configuration, make sure the specified user accoun
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
##### Config for group accounts
##### Config for group accounts
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
```xml
<Config>
<UserGroup Type="LocalGroup" Name="mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
- Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
- Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
```xml
<Config>
<UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
```xml
<Config>
<UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
> [!NOTE]
> If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
> If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
<span id="add-xml" />
<span id="add-xml" />
## Configure a kiosk using WMI Bridge
## Configure a kiosk using WMI Bridge
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class.
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class.
Here's an example of how to set AssignedAccess configuration:
Here's an example of how to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
1. Download the [psexec tool](/sysinternals/downloads/psexec).
1. Using an elevated command prompt, run `psexec.exe -i -s cmd.exe`.
1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step.
1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step.
```powershell
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
StartTime = Get-Date -Millisecond 0
}
}
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
<your XML here>
"@)
"@)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
Write-Error -ErrorRecord $cimSetError[0]
Write-Error -ErrorRecord $cimSetError[0]
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {
$events | ForEach-Object {
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
}
} else {
Write-Warning "Timed-out attempting to retrieve event logs..."
}
}
Exit 1
}
}
Write-Output "Successfully applied Assigned Access configuration"
```
```
## Sample Assigned Access XML
## Sample Assigned Access XML
This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11.
This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<AllowedApps>
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="C:\Windows\system32\cmd.exe" />
<App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
<App DesktopAppPath="%windir%\explorer.exe" />
</AllowedApps>
</AllowedApps>
</AllAppsList>
</AllAppsList>
<win11:StartPins>
<![CDATA[
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
@ -414,7 +409,7 @@ This section contains a predefined XML file which can be used as a quickstart to
]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profile>
</Profiles>
<Configs>
@ -423,6 +418,6 @@ This section contains a predefined XML file which can be used as a quickstart to
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
</AssignedAccessConfiguration>
```

6
windows/configuration/kiosk/lockdown-features-windows-10.md
View File

@ -2,15 +2,13 @@
title: Lockdown features from Windows Embedded 8.1 Industry
description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
ms.topic: article
appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.

11
windows/configuration/kiosk/setup-digital-signage.md
View File

@ -1,18 +1,11 @@
---
title: Set up digital signs on Windows 10/11
title: Set up digital signs on Windows
description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
ms.reviewer: sybruckm
ms.date: 09/20/2021
ms.topic: article
---
# Set up digital signs on Windows 10/11
**Applies to**
- Windows 10 Pro, Enterprise, and Education
- Windows 11
# Set up digital signs
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.