diff --git a/windows/configuration/assigned-access/assigned-access-configuration-file.md b/windows/configuration/assigned-access/assigned-access-configuration-file.md index 6df3a5bbcd..e0e131e7e0 100644 --- a/windows/configuration/assigned-access/assigned-access-configuration-file.md +++ b/windows/configuration/assigned-access/assigned-access-configuration-file.md @@ -595,10 +595,8 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ```xml - + @@ -646,6 +644,12 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom With `GlobalProfile` you can define an Assigned Access profile that is applied to every non-admin account that signs in. This can be useful in scenarios like front line workers or student devices, where you want to ensure that every user has a consistent experience. +```xml + + + +``` + The following configuration demonstrates that only a global profile is used, with no user configured. [!INCLUDE [assigned-access-example-global-profile](includes/assigned-access-example-global-profile.md)] @@ -658,87 +662,10 @@ The following configuration demonstrates that only a global profile is used, wit ## File Explorer restrictions -When using Assigned Access, folder browsing is locked down. You can explicitly allow access to known folders when the user tries to open the file dialog box in a restricted user experience by including the `FileExplorerNamespaceRestrictions` node. +When using Assigned Access, folder browsing is locked down. You can explicitly allow access to known folders when the user tries to open the file dialog box by including the `FileExplorerNamespaceRestrictions` node. You can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. -:::row::: - :::column span="1"::: - **Scenario** - :::column-end::: - :::column span="3"::: - **XML snippet** - :::column-end::: -:::row-end::: -:::row::: - :::column span="1"::: - **Block everything** - :::column-end::: - :::column span="3"::: - Either don't use the node or leave it empty - - ```xml - - - ``` - :::column-end::: -:::row-end::: -:::row::: - :::column span="1"::: - **Only allow downloads** - :::column-end::: - :::column span="3"::: - ```xml - - - - ``` - :::column-end::: -:::row-end::: - -:::row::: - :::column span="1"::: - **Only allow removable drives** - :::column-end::: - :::column span="3"::: - ```xml - - - - ``` - :::column-end::: -:::row-end::: - -:::row::: - :::column span="1"::: - **Allow both Downloads, and removable drives** - :::column-end::: - :::column span="3"::: - ```xml - - - - - ``` - :::column-end::: -:::row-end::: - -:::row::: - :::column span="1"::: - **No restrictions, all locations are allowed** - :::column-end::: - :::column span="3"::: - ```xml - - - - ``` - :::column-end::: -:::row-end::: - -> [!TIP] -> To grant access to the Downloads folder through File Explorer, add `Explorer.exe` to the list of allowed apps, and pin a file explorer shortcut to the Start menu. - | Property | XML namespace (alias) | |-|-| |`FileExplorerNamespaceRestrictions`|`https://schemas.microsoft.com/AssignedAccess/201810/config` (rs5)| @@ -746,7 +673,78 @@ You can specify user access to Downloads folder, Removable drives, or no restric |`AllowRemovableDrives`|`https://schemas.microsoft.com/AssignedAccess/2020/config` (v3)| |`NoRestriction`|`https://schemas.microsoft.com/AssignedAccess/2020/config` (v3)| -### Example +:::row::: +:::column span="1"::: +**Scenario** +:::column-end::: +:::column span="3"::: +**XML snippet** +:::column-end::: +:::row-end::: +:::row::: +:::column span="1"::: +**Block everything** +:::column-end::: +:::column span="3"::: +Either don't use the node or leave it empty: +```xml + + +``` +:::column-end::: +:::row-end::: +:::row::: +:::column span="1"::: +**Only allow downloads** +:::column-end::: +:::column span="3"::: +```xml + + + +``` +:::column-end::: +:::row-end::: +:::row::: +:::column span="1"::: +**Only allow removable drives** +:::column-end::: +:::column span="3"::: +```xml + + + +``` +:::column-end::: +:::row-end::: +:::row::: +:::column span="1"::: +**Allow both Downloads, and removable drives** +:::column-end::: +:::column span="3"::: +```xml + + + + +``` +:::column-end::: +:::row-end::: +:::row::: +:::column span="1"::: +**No restrictions, all locations are allowed** +:::column-end::: +:::column span="3"::: +```xml + + + +``` +:::column-end::: +:::row-end::: + +> [!TIP] +> To grant access to File Explorer in a restricted user experience, add `Explorer.exe` to the list of allowed apps, and pin a shortcut to the Start menu. [!INCLUDE [assigned-access-example-file-explorer-restrictions](includes/assigned-access-example-file-explorer-restrictions.md)]