deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Delete unused images and update documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-01-25 09:32:58 -05:00
parent 803a89be76
commit 85c0a9ee00
116 changed files with 2770 additions and 2989 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -4,22 +4,22 @@ description: To configure assigned access (kiosk mode), you need the Application
ms.topic: article
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app
# Find the Application User Model ID of an installed app
To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry.
To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry.
## To find the AUMID by using Windows PowerShell
## To find the AUMID by using Windows PowerShell
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
```powershell
Get-StartApps
```
```
To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands:
To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands:
```powershell
$installedapps = Get-AppxPackage
$installedapps = Get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
@ -28,39 +28,39 @@ foreach ($app in $installedapps)
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
}
$aumidList
```
```
You can add the `-user <username>` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters.
You can add the `-user <username>` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters.
## To find the AUMID by using File Explorer
## To find the AUMID by using File Explorer
To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
2. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
![Image of the Choose Details options.](images/aumid-file-explorer.png)
![Image of the Choose Details options.](images/aumid-file-explorer.png)
## To find the AUMID of an installed app for the current user by using the registry
## To find the AUMID of an installed app for the current user by using the registry
Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
At a command prompt, type the following command:
At a command prompt, type the following command:
`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"`
`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"`
### Example to get AUMIDs of the installed apps for the specified user
### Example to get AUMIDs of the installed apps for the specified user
The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
```powershell
function listAumids( $userAccount ) {
function listAumids( $userAccount ) {
if ($userAccount -eq "allusers")
{
@ -76,7 +76,7 @@ function listAumids( $userAccount ) {
{
# Find installed packages for the current account.
$installedapps = Get-AppxPackage
}
}
$aumidList = @()
foreach ($app in $installedapps)
@ -85,28 +85,28 @@ function listAumids( $userAccount ) {
{
$aumidList += $app.packagefamilyname + "!" + $id
}
}
}
return $aumidList
}
```
```
The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it.
The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it.
```powershell
# Get a list of AUMIDs for the current account:
listAumids
listAumids
# Get a list of AUMIDs for an account named "CustomerAccount":
listAumids("CustomerAccount")
listAumids("CustomerAccount")
# Get a list of AUMIDs for all accounts on the device:
listAumids("allusers")
```
```
### Example to get the AUMID of any application in the Start menu
### Example to get the AUMID of any application in the Start menu
The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu.
The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu.
```powershell
function Get-AppAUMID {
@ -126,16 +126,16 @@ else {
Return $Result
}
}
```
```
The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it.
The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it.
```powershell
# Get the AUMID for OneDrive
Get-AppAUMID -AppName OneDrive
Get-AppAUMID -AppName OneDrive
# Get the AUMID for Microsoft Word
Get-AppAUMID -AppName Word
Get-AppAUMID -AppName Word
# List all apps and their AUMID in the Start menu
Get-AppAUMID

116
windows/configuration/kiosk/guidelines-for-assigned-access-app.md
View File

@ -3,53 +3,51 @@ title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
ms.topic: article
ms.date: 12/31/2017
---
---
# Guidelines for choosing an app for assigned access (kiosk mode)
# Guidelines for choosing an app for assigned access (kiosk mode)
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
## General guidelines
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
## Guidelines for Windows apps that launch other apps
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
## Guidelines for web browsers
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
## Guidelines for web browsers
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
>
>Kiosk Browser can't access intranet websites.
>Kiosk Browser can't access intranet websites.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
### Kiosk Browser settings
### Kiosk Browser settings
Kiosk Browser settings | Use this setting to
--- | ---
@ -59,41 +57,40 @@ Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make s
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
> [!IMPORTANT]
> To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
>
>
> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 3. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 4. Save the XML file.
> 5. Open the project again in Windows Configuration Designer.
> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
>
> 1. Save the XML file.
> 1. Open the project again in Windows Configuration Designer.
> 1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
>
>
>
> [!TIP]
> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
> - Data type: Integer
> - Value: 1
> - Value: 1
#### Rules for URLs in Kiosk Browser settings
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
- Query parameters.
More guidelines for URLs:
More guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only.
- You can't use user:pass fields.
@ -101,20 +98,19 @@ More guidelines for URLs:
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- Key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
### Examples of blocked URLs and exceptions
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
Blocked URL rule | Block URL exception rule | Result
--- | --- | ---
`*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains.
`contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
The following table gives examples for blocked URLs.
`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
The following table gives examples for blocked URLs.
| Entry | Result |
|--------------------------|-------------------------------------------------------------------------------|
@ -126,37 +122,37 @@ The following table gives examples for blocked URLs.
| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
| `*:8080` | Blocks all requests to port 8080. |
| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
| `192.168.1.2` | Blocks requests to 192.168.1.2. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
| `192.168.1.2` | Blocks requests to 192.168.1.1. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
### Other browsers
### Other browsers
You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
## Secure your information
Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## Secure your information
## App configuration
Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
## App configuration
Check the guidelines published by your selected app and set up accordingly.
Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
## Develop your kiosk app
Check the guidelines published by your selected app and set up accordingly.
Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
## Develop your kiosk app
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
## Test your assigned access experience
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.

BIN
windows/configuration/kiosk/images/apprule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/configuration/kiosk/images/appwarning.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
windows/configuration/kiosk/images/genrule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.4 KiB

BIN
windows/configuration/kiosk/images/lockdownapps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.5 KiB

BIN
windows/configuration/kiosk/images/multiappassignedaccesssettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

54
windows/configuration/kiosk/kiosk-mdm-bridge.md
View File

@ -5,22 +5,22 @@ appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
ms.topic: article
ms.date: 12/31/2017
---
---
# Use MDM Bridge WMI Provider to create a Windows client kiosk
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
Here's an example to set AssignedAccess configuration:
Here's an example to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
1. Download the [psexec tool](/sysinternals/downloads/psexec).
2. Run `psexec.exe -i -s cmd.exe`.
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
1. Run `psexec.exe -i -s cmd.exe`.
1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
Step 4 is different for Windows 10 or Windows 11
Step 4 is different for Windows 10 or Windows 11
4. Execute the following script for Windows 10:
1. Execute the following script for Windows 10:
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
@ -76,49 +76,49 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
</Config>
</Configs>
</AssignedAccessConfiguration>
"@)
"@)
Set-CimInstance -CimInstance $obj
```
4. Execute the following script for Windows 11:
1. Execute the following script for Windows 11:
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
<AssignedAccessConfiguration
xmlns=http://schemas.microsoft.com/AssignedAccess/2017/config xmlns:win11=http://schemas.microsoft.com/AssignedAccess/2022/config>
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllowedApps>
</AllAppsList>
</AllAppsList>
<win11:StartPins>
<![CDATA[
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
@ -132,7 +132,7 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profile>
</Profiles>
<Configs>
@ -141,9 +141,9 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
</AssignedAccessConfiguration>
"@)
"@)
Set-CimInstance -CimInstance $obj
```

88
windows/configuration/kiosk/kiosk-methods.md
View File

@ -1,97 +1,96 @@
---
title: Configure kiosks and digital signs on Windows 10/11 desktop editions
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.topic: article
ms.date: 12/31/2017
---
---
# Configure kiosks and digital signs on Windows desktop editions
# Configure kiosks and digital signs on Windows desktop editions
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen.
![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png)
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen.
- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png)
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device.
- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png)
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device.
Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png)
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
- **Which type of app will your kiosk run?**
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
![icon that represents apps.](images/office-logo.png)
- **Which type of app will your kiosk run?**
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
![icon that represents apps.](images/office-logo.png)
- **Which type of kiosk do you need?**
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
![icon that represents a kiosk.](images/kiosk.png)
- **Which type of kiosk do you need?**
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
![icon that represents a kiosk.](images/kiosk.png)
- **Which edition of Windows client will the kiosk run?**
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
![icon that represents Windows.](images/windows.png)
- **Which edition of Windows client will the kiosk run?**
All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home.
![icon that represents Windows.](images/windows.png)
- **Which type of user account will be the kiosk account?**
All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home.
![icon that represents a user account.](images/user.png)
- **Which type of user account will be the kiosk account?**
The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
![icon that represents a user account.](images/user.png)
The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
>[!IMPORTANT]
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access-kiosk-mode.md)]
[!INCLUDE [assigned-access-kiosk-mode](../../../includes/licensing/assigned-access-kiosk-mode.md)]
## Methods for a single-app kiosk running a UWP app
## Methods for a single-app kiosk running a UWP app
You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
<span id="classic" />
<span id="classic" />
## Methods for a single-app kiosk running a Windows desktop application
## Methods for a single-app kiosk running a Windows desktop application
You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
<span id="desktop" />
<span id="desktop" />
## Methods for a multi-app kiosk
## Methods for a multi-app kiosk
You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
## Summary of kiosk configuration methods
## Summary of kiosk configuration methods
Method | App type | Account type | Single-app kiosk | Multi-app kiosk
--- | --- | --- | :---: | :---:
@ -100,10 +99,9 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ | ✅
Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✅ | ✅
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅
[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✅ |
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅
>[!NOTE]
>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.

40
windows/configuration/kiosk/kiosk-prepare.md
View File

@ -35,9 +35,9 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the registry**:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
1. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
- `1`: Hides all notifications except restart warnings.
- `2`: Hides all notifications, including restart warnings.
@ -57,8 +57,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
@ -68,12 +68,12 @@ For a more secure kiosk experience, we recommend that you make the following con
- Use the **Settings** app:
1. Open the **Settings** app.
2. Go to **System** > **Tablet mode**.
3. Configure the settings you want.
1. Go to **System** > **Tablet mode**.
1. Configure the settings you want.
- Use the **Action Center**:
1. On your device, swipe in from the left.
2. Select **Tablet mode**.
1. Select **Tablet mode**.
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
@ -84,9 +84,9 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
3. Select **Do nothing**.
4. **Save changes**.
1. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
1. Select **Do nothing**.
1. **Save changes**.
- **Use Group Policy**: Your options:
@ -127,8 +127,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **Privacy** > **Camera**.
3. Select **Allow apps use my camera** > **Off**.
1. Go to **Privacy** > **Camera**.
1. Select **Allow apps use my camera** > **Off**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
@ -144,8 +144,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Notifications & actions**.
3. In **Show notifications on the lock screen**, select **Off**.
1. Go to **System** > **Notifications & actions**.
1. In **Show notifications on the lock screen**, select **Off**.
- **Use Group policy**:
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
@ -207,7 +207,6 @@ You may also want to set up **automatic logon** for your kiosk device. When your
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
**How to edit the registry to have an account sign in automatically**
1. Open Registry Editor (regedit.exe).
@ -215,14 +214,11 @@ You may also want to set up **automatic logon** for your kiosk device. When your
> [!NOTE]
> If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users).
2. Go to
1. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
1. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
@ -235,7 +231,7 @@ You may also want to set up **automatic logon** for your kiosk device. When your
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
1. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
> [!TIP]
> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).

15
windows/configuration/kiosk/kiosk-shelllauncher.md
View File

@ -21,7 +21,6 @@ Using Shell Launcher, you can configure a device that runs an application as the
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
@ -56,22 +55,21 @@ To set a custom shell, you first turn on the Shell Launcher feature, and then yo
1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
2. Expand **Device Lockdown**.
1. Expand **Device Lockdown**.
2. Select **Shell Launcher** and **OK**.
1. Select **Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
2. Enter the following command.
1. Open a command prompt as an administrator.
1. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
## Configure a custom shell in MDM
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
@ -138,7 +136,7 @@ xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
### Custom OMA-URI setting
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v1. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
@ -174,7 +172,6 @@ static class CheckShellLauncherLicense
enabled = 0;
}
return (enabled != 0);
}
@ -215,7 +212,6 @@ try {
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
@ -229,7 +225,6 @@ function Get-UsernameSID($AccountName) {
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.

289
windows/configuration/kiosk/kiosk-single-app.md
View File

@ -6,61 +6,60 @@ ms.collection:
- tier1
ms.date: 07/12/2023
---
<!--8107263-->
<!--8107263-->
# Set up a single-app kiosk
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png)
![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png)
>[!IMPORTANT]
>[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
>
>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
You have several options for configuring your single-app kiosk.
You have several options for configuring your single-app kiosk.
- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
This option supports:
This option supports:
- Windows 10 Pro, Enterprise, and Education
- Windows 11
- Windows 11
- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This option supports:
This option supports:
- Windows 10 Pro, Enterprise, and Education
- Windows 11
- Windows 11
- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings.
- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings.
This option supports:
This option supports:
- Windows 10 Pro version 1709+, Enterprise, and Education
- Windows 11
- Windows 11
- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration.
- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration.
This option supports:
This option supports:
- Windows 10 Pro version 1709+, Enterprise, and Education
- Windows 11
- Windows 11
> [!TIP]
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
>
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="local"/>
<span id="local"/>
## Set up a kiosk in local Settings
## Set up a kiosk in local Settings
>App type:
>App type:
> - UWP
>
@ -69,120 +68,119 @@ You have several options for configuring your single-app kiosk.
> - Windows 11
>
>Account type:
> - Local standard user
> - Local standard user
You can use **Settings** to quickly configure one or a few devices as a kiosk.
You can use **Settings** to quickly configure one or a few devices as a kiosk.
When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
![Screenshot of automatic sign-in setting.](images/auto-signin.png)
![Screenshot of automatic sign-in setting.](images/auto-signin.png)
### Windows 10 version 1809+ / Windows 11
### Windows 10 version 1809+ / Windows 11
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
1. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
3. Enter a name for the new account.
1. Enter a name for the new account.
>[!NOTE]
>If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**.
>If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**.
4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
1. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be displayed when the kiosk accounts signs in
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
5. Select **Close**.
1. Select **Close**.
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
### Windows 10 version 1803 and earlier
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
![The Set up assigned access page in Settings.](images/kiosk-settings.png)
**To set up assigned access in PC settings**
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
1. Select **Set up assigned access**.
1. Choose an account.
1. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
1. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
<span id="powershell"/>
## Set up a kiosk using Windows PowerShell
### Windows 10 version 1803 and earlier
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
![The Set up assigned access page in Settings.](images/kiosk-settings.png)
**To set up assigned access in PC settings**
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
2. Select **Set up assigned access**.
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
<span id="powershell"/>
## Set up a kiosk using Windows PowerShell
>App type:
>App type:
> - UWP
>
>OS:
>OS:
> - Windows 10 Pro, Ent, Edu
> - Windows 11
>
>Account type:
>Account type:
> - Local standard user
> - Local standard user
![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png)
![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png)
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
Before you run the cmdlet:
Before you run the cmdlet:
1. Sign in as administrator.
2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
3. Sign in as the Assigned Access user account.
4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
5. Sign out as the Assigned Access user account.
6. Sign in as administrator.
1. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
1. Sign in as the Assigned Access user account.
1. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
1. Sign out as the Assigned Access user account.
1. Sign in as administrator.
To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>`
- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>`
- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName <CustomApp> -UserName <username>`
- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>`
- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>`
> [!NOTE]
> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once.
> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once.
[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md).
[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md).
[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**).
[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**).
To remove assigned access, using PowerShell, run the following cmdlet:
To remove assigned access, using PowerShell, run the following cmdlet:
```powershell
Clear-AssignedAccess
```
```
<span id="wizard" />
<span id="wizard" />
## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
>App type:
> - UWP
> - UWP
> - Windows desktop application
>
@ -193,153 +191,152 @@ Clear-AssignedAccess
>
>Account type:
> - Local standard user
> - Active Directory
![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
> - Active Directory
![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
[Install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings:
[Install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings:
1. Enable device setup:
1. Enable device setup:
:::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
:::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
If you want to enable device setup, select **Set up device**, and configure the following settings:
If you want to enable device setup, select **Set up device**, and configure the following settings:
- **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
- **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
- **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default.
- **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
- **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
2. Set up the network:
1. Set up the network:
:::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
:::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
If you want to enable network setup, select **Set up network**, and configure the following settings:
If you want to enable network setup, select **Set up network**, and configure the following settings:
- **Set up network**: To enable wireless connectivity, select **On**.
- **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
- **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
- **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
3. Enable account management:
1. Enable account management:
:::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
:::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
If you want to enable account management, select **Account Management**, and configure the following settings:
If you want to enable account management, select **Account Management**, and configure the following settings:
- **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
- **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
- **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
- **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
4. Add applications:
1. Add applications:
:::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
:::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
> [!WARNING]
> If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then:
>
> 1. In **Installer Path**, select any executable file.
> 2. When the **Cancel** button shows, select it.
> 1. When the **Cancel** button shows, select it.
>
> These steps let you complete the provisioning package without adding an application.
> These steps let you complete the provisioning package without adding an application.
5. Add certificates:
1. Add certificates:
:::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
:::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
To add a certificate to the devices, select **Add certificates**, and configure the following settings:
To add a certificate to the devices, select **Add certificates**, and configure the following settings:
- **Certificate name**: Enter a name for the certificate.
- **Certificate path**: Browse and select the certificate you want to add.
- **Certificate path**: Browse and select the certificate you want to add.
6. Configure the kiosk account, and the kiosk mode app:
1. Configure the kiosk account, and the kiosk mode app:
:::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
:::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings:
To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings:
- **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app.
- **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`).
- **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options:
- **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required.
- **Universal Windows app**: Enter the AUMID.
- **Universal Windows app**: Enter the AUMID.
7. Configure kiosk common settings:
1. Configure kiosk common settings:
:::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
:::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings:
To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings:
- **Set tablet mode**
- **Customize user experience**
- **Configure power settings**
- **Configure power settings**
8. Finish:
1. Finish:
:::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
:::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
To complete the wizard, select **Finish**, and configure the following setting:
To complete the wizard, select **Finish**, and configure the following setting:
- **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
- **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
>[!NOTE]
>If you want to use [the advanced editor in Windows Configuration Designer](../provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
>If you want to use [the advanced editor in Windows Configuration Designer](../provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
[Learn how to apply a provisioning package.](../provisioning-packages/provisioning-apply-package.md)
[Learn how to apply a provisioning package.](../provisioning-packages/provisioning-apply-package.md)
<span id="mdm" />
<span id="mdm" />
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
>App type:
>App type:
> - UWP
>
>OS:
>OS:
> - Windows 10 Pro version 1709+, Ent, Edu
> - Windows 11
>
>Account type:
> - Local standard user
> - Microsoft Entra ID
> - Microsoft Entra ID
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
## Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
## Sign out of assigned access
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).

2
windows/configuration/kiosk/kiosk-validate.md
View File

@ -74,8 +74,6 @@ The multi-app mode blocks the following hotkeys, which are not relevant for the
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.

7
windows/configuration/kiosk/kiosk-xml.md
View File

@ -130,6 +130,7 @@ ms.date: 12/31/2017
</Configs>
</AssignedAccessConfiguration>
```
## Kiosk only sample XML
```xml
@ -243,6 +244,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Microsoft Edge Kiosk XML Sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
@ -329,6 +331,7 @@ This sample demonstrates that only a global profile is used, with no active user
```
Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
@ -414,6 +417,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
```
## Folder Access sample xml
Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -650,7 +654,6 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
</Configs>
</AssignedAccessConfiguration>
```
## XSD for AssignedAccess configuration XML
@ -750,7 +753,6 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
<xs:attributeGroup ref="autoLaunch_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
@ -926,7 +928,6 @@ The following XML is the schema for Windows 10 version 1909+:
<xs:attribute name="Id" type="guid_t" />
</xs:complexType>
<xs:element name="AllowRemovableDrives"/>
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />

111
windows/configuration/kiosk/lock-down-windows-10-applocker.md
View File

@ -5,108 +5,93 @@ appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/30/2018
ms.topic: article
---
---
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize.](images/lockdownapps.png)
![install create lockdown customize.](images/lockdownapps.png)
## Install apps
## Install apps
First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
## Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
1. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
![configure rule enforcement.](images/apprule.png)
1. Run Local Security Policy (secpol.msc) as an administrator.
1. Check **Configured** under **Executable rules**, and then click **OK**.
1. Right-click **Executable Rules** and then click **Automatically generate rules**.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
![automatically generate rules.](images/genrule.png)
![configure rule enforcement.](images/apprule.png)
1. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
1. Type a name to identify this set of rules, and then click **Next**.
1. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
1. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
1. Read the message and click **Yes**.
3. Check **Configured** under **Executable rules**, and then click **OK**.
![default rules warning.](images/appwarning.png)
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules.](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
![default rules warning.](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
1. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
1. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
1. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
```
13. Restart the device.
1. Restart the device.
## Other settings to lock down
## Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
- Remove **All apps**.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
- Hide **Ease of access** feature on the logon screen.
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Disable the camera.
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**
**Note**
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal).
## Customize Start screen layout for the device (recommended)
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal).
## Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](../start/windows-10-start-layout-options-and-policies.md).

382
windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md
View File

@ -3,78 +3,78 @@ title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.topic: how-to
ms.date: 11/08/2023
---
---
# Set up a multi-app kiosk on Windows 10 devices
# Set up a multi-app kiosk on Windows 10 devices
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
The following table lists changes to multi-app kiosk in recent updates.
The following table lists changes to multi-app kiosk in recent updates.
| New features and improvements | In update |
| --- | ---|
| - Configure [a single-app kiosk profile](#profile) in your XML file<br><br>- Assign [group accounts to a config profile](#config-for-group-accounts)<br><br>- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)<br><br>- [Automatically launch an app](#allowedapps) when the user signs in<br><br>- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)<br><br>- [Automatically launch an app](#allowedapps) when the user signs in<br><br>- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
> [!WARNING]
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="intune"/>
<span id="intune"/>
## Configure a kiosk in Microsoft Intune
## Configure a kiosk in Microsoft Intune
To configure a kiosk in Microsoft Intune, see:
To configure a kiosk in Microsoft Intune, see:
- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings)
- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
<span id="provision" />
<span id="provision" />
## Configure a kiosk using a provisioning package
## Configure a kiosk using a provisioning package
Process:
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
1. [Add XML file to provisioning package](#add-xml)
1. [Apply provisioning package to device](#apply-ppkg)
Watch how to use a provisioning package to configure a multi-app kiosk.
Watch how to use a provisioning package to configure a multi-app kiosk.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
### Prerequisites
### Prerequisites
- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
> [!NOTE]
> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
### Create XML file
Let's start by looking at the basic structure of the XML file.
Let's start by looking at the basic structure of the XML file.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- Multiple config sections can be associated to the same profile.
- Multiple config sections can be associated to the same profile.
- A profile has no effect if it's not associated to a config section.
- A profile has no effect if it's not associated to a config section.
![profile = app and config = account.](images/profile-config.png)
![profile = app and config = account.](images/profile-config.png)
You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -98,71 +98,71 @@ You can start your file by pasting the following XML into an XML editor, and sav
</Config>
</Configs>
</AssignedAccessConfiguration>
```
```
#### Profile
#### Profile
There are two types of profiles that you can specify in the XML:
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
A lockdown profile section in the XML has the following entries:
- [**Id**](#id)
- [**Id**](#id)
- [**AllowedApps**](#allowedapps)
- [**AllowedApps**](#allowedapps)
- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions)
- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions)
- [**StartLayout**](#startlayout)
- [**StartLayout**](#startlayout)
- [**Taskbar**](#taskbar)
- [**Taskbar**](#taskbar)
A kiosk profile in the XML has the following entries:
A kiosk profile in the XML has the following entries:
- [**Id**](#id)
- [**Id**](#id)
- [**KioskModeApp**](#kioskmodeapp)
- [**KioskModeApp**](#kioskmodeapp)
##### Id
##### Id
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
```
##### AllowedApps
##### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`.
- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`.
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
>
> Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
> Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
<span id="apps-sample" />
<span id="apps-sample" />
```xml
<AllAppsList>
@ -176,16 +176,16 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">
</AllowedApps>
</AllAppsList>
```
```
##### FileExplorerNamespaceRestrictions
##### FileExplorerNamespaceRestrictions
Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune.
Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
> [!TIP]
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -209,34 +209,34 @@ The following example shows how to allow user access to the Downloads folder in
</Profile>
</Profiles>
</AssignedAccessConfiguration>
```
```
`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all.
`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all.
> [!NOTE]
> - `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace `https://schemas.microsoft.com/AssignedAccess/201810/config`.
> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`.
> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`.
* When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser.
* When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
* When `AllowRemovableDrives` is used, user will be to access removable drives.
* When `NoRestriction` is used, no restriction will be applied to the dialog.
* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time.
- When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser.
- When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
- When `AllowRemovableDrives` is used, user will be to access removable drives.
- When `NoRestriction` is used, no restriction will be applied to the dialog.
- `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time.
##### StartLayout
##### StartLayout
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](../start/customize-and-export-start-layout.md).
A few things to note here:
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
- There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML as part of the assigned access configuration.
- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start:
The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start:
```xml
<StartLayout>
@ -262,63 +262,63 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
</LayoutModificationTemplate>
]]>
</StartLayout>
```
```
> [!NOTE]
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
##### Taskbar
##### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
The following example exposes the taskbar to the end user:
```xml
<Taskbar ShowTaskbar="true"/>
```
```
The following example hides the taskbar:
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
```
> [!NOTE]
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
##### KioskModeApp
##### KioskModeApp
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
```xml
<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
```
```
> [!IMPORTANT]
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
#### Configs
#### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
You can assign:
You can assign:
- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
> [!NOTE]
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
##### Config for AutoLogon Account
When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
The following example shows how to specify an account to sign in automatically.
The following example shows how to specify an account to sign in automatically.
```xml
<Configs>
@ -327,9 +327,9 @@ The following example shows how to specify an account to sign in automatically.
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
<Configs>
@ -338,28 +338,28 @@ Starting with Windows 10 version 1809, you can configure the display name that w
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
> [!IMPORTANT]
> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
##### Config for individual accounts
##### Config for individual accounts
Individual accounts are specified using `<Account>`.
Individual accounts are specified using `<Account>`.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
> [!WARNING]
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
> [!NOTE]
> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
@ -368,54 +368,54 @@ Before applying the multi-app configuration, make sure the specified user accoun
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
```
##### Config for group accounts
##### Config for group accounts
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
```xml
<Config>
<UserGroup Type="LocalGroup" Name="mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
- Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
- Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
```xml
<Config>
<UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
```xml
<Config>
<UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
```
> [!NOTE]
> If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
> If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
<span id="add-xml" />
<span id="add-xml" />
#### [Preview] Global profile
#### [Preview] Global profile
Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios.
Global profile is available in Windows 1. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios.
Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user.
Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user.
> [!NOTE]
> 1. `GlobalProfile` can only be a multi-app profile.
> 2. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML.
> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config.
> 1. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML.
> 1. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -445,7 +445,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
@ -467,9 +467,9 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
<v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Configs>
</AssignedAccessConfiguration>
```
```
### Add XML file to provisioning package
### Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
@ -480,102 +480,102 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
2. Choose **Advanced provisioning**.
1. Choose **Advanced provisioning**.
3. Name your project, and select **Next**.
1. Name your project, and select **Next**.
4. Choose **All Windows desktop editions** and select **Next**.
1. Choose **All Windows desktop editions** and select **Next**.
5. On **New project**, select **Finish**. The workspace for your package opens.
1. On **New project**, select **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
1. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
1. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
10. On the **File** menu, select **Save.**
1. On the **File** menu, select **Save.**
11. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**.
12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can select **Browse** to change the default output location.
Optionally, you can select **Browse** to change the default output location.
15. Select **Next**.
1. Select **Next**.
16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build.
- If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
- If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
18. Copy the provisioning package to the root directory of a USB drive.
1. Copy the provisioning package to the root directory of a USB drive.
<span id="apply-ppkg" />
<span id="apply-ppkg" />
### Apply provisioning package to device
### Apply provisioning package to device
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](../provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
### Use MDM to deploy the multi-app configuration
### Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely.
If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely.
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
## Considerations for Windows Mixed Reality immersive headsets
## Considerations for Windows Mixed Reality immersive headsets
With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
```xml
<App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" />
<App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" />
<App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" />
<App AppUserModelId="Microsoft.MixedReality.Portal_8wekyb3d8bbwe!App" />
```
```
These apps are in addition to any mixed reality apps that you allow.
These apps are in addition to any mixed reality apps that you allow.
**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail.
**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail.
After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
## Policies set by multi-app kiosk configuration
## Policies set by multi-app kiosk configuration
It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device.
When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device.
### Group policy
### Group policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
| Setting | Value |
| --- | --- |
@ -604,14 +604,14 @@ Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled - Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
Prevent access to drives from My Computer | Enabled - Restrict all drivers
> [!NOTE]
> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
### MDM policy
### MDM policy
Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system.
Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system.
Setting | Value | System-wide
--- | --- | ---
@ -631,30 +631,30 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
[Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
[WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
[Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes
[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes
<span id="lnk-files" />
<span id="lnk-files" />
## Provision .lnk files using Windows Configuration Designer
## Provision .lnk files using Windows Configuration Designer
First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
```PowerShell
msiexec /I "<appName>.msi" /qn /norestart
copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"
```
```
In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file.
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file.
> [!IMPORTANT]
> Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
> Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
- Under **CommandLine**, enter `cmd /c *FileName*.bat`.
- Under **CommandLine**, enter `cmd /c *FileName*.bat`.
## Other methods
## Other methods
Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).

8
windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
View File

@ -120,7 +120,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
@ -129,8 +129,8 @@ When the multi-app kiosk configuration is applied to a device, AppLocker rules w
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
@ -334,7 +334,6 @@ $obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
<your XML here>
"@)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
@ -348,7 +347,6 @@ if($cimSetError) {
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {

17
windows/configuration/kiosk/lockdown-features-windows-10.md
View File

@ -1,29 +1,28 @@
---
title: Lockdown features from Windows Embedded 8.1 Industry
description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
ms.topic: article
ms.topic: article
appliesto:
-<a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
---
# Lockdown features from Windows Embedded 8.1 Industry
# Lockdown features from Windows Embedded 8.1 Industry
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 1. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
|Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes|
|--- |--- |--- |
|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.|
|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.|
|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 151. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 1. It is now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.|
|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 1. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.<br>Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.|
|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.|
|[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.<br> <br> Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.|
|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 1. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
|[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.|
|[Custom Logon](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown|[Embedded Logon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|
|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|

66
windows/configuration/kiosk/setup-digital-signage.md
View File

@ -3,66 +3,66 @@ title: Set up digital signs on Windows
description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
ms.date: 09/20/2021
ms.topic: article
---
---
# Set up digital signs
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+.
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+.
>[!NOTE]
>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience).
This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
5. On **Set up device**, select **Disabled**, and select **Next**.
6. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
1. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
1. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
1. Open Windows Configuration Designer and select **Provision kiosk devices**.
1. Enter a friendly name for the project, and select **Finish**.
1. On **Set up device**, select **Disabled**, and select **Next**.
1. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
- Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
7. On **Account management**, select **Disabled**, and select **Next**.
8. On **Add applications**, select **Add an application**:
1. On **Account management**, select **Disabled**, and select **Next**.
1. On **Add applications**, select **Add an application**:
- For **Application name**, enter `Kiosk Browser`.
- For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
- For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
- The **Package family name** is populated automatically.
- Select **Next**.
9. On **Add certificates**, select **Next**.
10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
1. On **Add certificates**, select **Next**.
1. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
1. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
1. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
- In **BlockedUrl**, enter `*`.
- In **DefaultUrl**, enter `https://www.contoso.com/menu`.
- Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**.
- Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**.
>[!TIP]
>For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
>For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
14. On the **Export** menu, select **Provisioning package**.
15. Change the **Owner** to **IT Admin**, and select **Next**.
16. On **Select security details for the provisioning package**, select **Next**.
17. On **Select where to save the provisioning package**, select **Next**.
18. On **Build the provisioning package**, select **Build**.
19. On the **All done!** screen, click the **Output location**.
20. Copy the .ppkg file to a USB drive.
21. Attach the USB drive to the device that you want to use for your digital sign.
22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
1. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
1. On the **Export** menu, select **Provisioning package**.
1. Change the **Owner** to **IT Admin**, and select **Next**.
1. On **Select security details for the provisioning package**, select **Next**.
1. On **Select where to save the provisioning package**, select **Next**.
1. On **Build the provisioning package**, select **Build**.
1. On the **All done!** screen, click the **Output location**.
1. Copy the .ppkg file to a USB drive.
1. Attach the USB drive to the device that you want to use for your digital sign.
1. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.