deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update CSP documentation to use refreshed Assigned Access reference docs.

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-02-29 16:05:22 -05:00
parent e626ddb69a
commit 8690f4a539
4 changed files with 30 additions and 797 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

802
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -1,7 +1,7 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
ms.date: 01/18/2024
ms.date: 02/29/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,19 +11,9 @@ ms.date: 01/18/2024
<!-- AssignedAccess-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
The AssignedAccess configuration service provider (CSP) is used to configure a kiosk or restricted user experience. Once the CSP is executed, the next user login that is associated with the kiosk profile puts the device into the kiosk mode specified in the CSP configuration.
- For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a single-app kiosk on Windows 10/11](/windows/configuration/kiosk-single-app).
- For a step-by-step guide for configuring multi-app kiosks, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!IMPORTANT]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
> [!WARNING]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!NOTE]
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
To learn more about how to configure Assigned Access, see [Configure kiosks and restricted user experiences](/windows/configuration/assigned-access).
<!-- AssignedAccess-Editable-End -->
<!-- AssignedAccess-Tree-Begin -->
@ -59,20 +49,8 @@ This node accepts an AssignedAccessConfiguration xml as input.
<!-- Device-Configuration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The input XML specifies the settings that you can configure in the kiosk or device.
To learn how to configure xml file, see [Create an Assigned Access configuration XML file](/windows/configuration/assigned-access/configuration-file)
In **Windows 10, version 1803** the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like `shift+alt+a`, where `shift` and `alt` are the modifiers and `a` is the key.
In **Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446)**, AssignedAccessConfiguration schema was updated to add StartPins and TaskbarLayout nodes to support pinning apps to the Start Menu and Taskbar respectively.
- For more information about setting up a multi-app kiosk, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
- For more information on the schema, see [AssignedAccessConfiguration XSD](#assignedaccessconfiguration-xsd).
- For examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
> [!NOTE]
> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
<!-- Device-Configuration-Editable-End -->
<!-- Device-Configuration-DFProperties-Begin -->
@ -165,8 +143,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
>
> This applies to both `domain\user`, `AzureAD\someone@contoso.onmicrosoft.com`, as long as a `\` is used in JSON string.
- For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
- For more information about single-app kiosk, see [Set up a single-app kiosk on Windows 10/11.](/windows/configuration/kiosk-single-app)
- For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/store/find-aumid)
> [!IMPORTANT]
>
@ -293,9 +270,8 @@ This node accepts a ShellLauncherConfiguration xml as input.
<!-- Device-ShellLauncher-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
In **Windows 10, version 1903**, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell.
For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
To learn about Shell Launcher, see [What is Shell Launcher?](/windows/configuration/assigned-access/shell-launcher).
> [!IMPORTANT]
> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
@ -317,193 +293,8 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau
<!-- Device-ShellLauncher-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**ShellLauncherConfiguration XSD**:
> [!NOTE]
> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD.
- Shell Launcher V1 XSD
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
targetNamespace="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
>
<xs:import namespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="DefaultProfile" type="default_profile_t"/>
<xs:element name="Profile" type="profile_t"/>
</xs:choice>
<xs:element name="Profile" type="profile_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="default_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_shell_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Shell" type="xs:string" use="required"/>
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="custom_shell_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeActions" type="return_code_action_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedReturnCodes">
<xs:selector xpath="default:ReturnCodeAction"/>
<xs:field xpath="@ReturnCode"/>
</xs:unique>
</xs:element>
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:all>
<xs:attribute name="Shell" type="xs:string" />
<xs:attribute ref="V2:AppType"/>
<xs:attribute ref="V2:AllAppsFullScreen"/>
</xs:complexType>
<xs:complexType name="default_action_t">
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:simpleType name="system_action_t">
<xs:restriction base="xs:string">
<xs:enumeration value="RestartShell" />
<xs:enumeration value="RestartDevice" />
<xs:enumeration value="ShutdownDevice" />
<xs:enumeration value="DoNothing" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="custom_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="return_code_action_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeAction" type="return_code_action_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="return_code_action_t">
<xs:attribute name="ReturnCode" type="xs:integer" use="required"/>
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="account_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutexNameOrSID">
<xs:selector xpath="."/>
<xs:field xpath="@Name|@Sid"/>
</xs:key>
</xs:element>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
<xs:element name="Profile" type="profile_id_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="account_t">
<xs:attribute name="Name" type="xs:string" use="optional"/>
<xs:attribute name="Sid" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{50021E57-1CE4-49DF-99A9-8DB659E2C2DD}"/>
</xs:complexType>
<xs:complexType name="profile_id_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="ShellLauncherConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Profiles" type="profile_list_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDuplicatedProfiles">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedConfigs_Name">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Name"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedConfigs_Sid">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Sid"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedAutoLogonAccount">
<xs:selector xpath="default:Config/default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
- Shell Launcher V2 XSD
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
targetNamespace="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"
>
<xs:attribute name="AppType">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="UWP"/>
<xs:enumeration value="Desktop"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="AllAppsFullScreen" type="xs:boolean"/>
</xs:schema>
```
Here's the Shell Launcher XSD reference article: [Shell Launcher XML Schema Definition (XSD)](/windows/configuration/assigned-access/shell-launcher/xsd).
**Examples**:
@ -1026,589 +817,14 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## AssignedAccessConfiguration XSD
- Schema for AssignedAccessConfiguration.
Here's the Assigned Access XSD reference article: [Assigned Access XML Schema Definition (XSD)](/windows/configuration/assigned-access/xsd).
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
<xs:element name="StartLayout" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element ref="v5:StartPins" minOccurs="0" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="v5:TaskbarLayout" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutualExclusionAumidOrClassicAppPath">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
</xs:key>
<xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
</xs:unique>
</xs:element>
<xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="default:App"/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:unique>
<xs:unique name="OnlyOneAppCanHaveAutoLaunch">
<xs:selector xpath="default:App"/>
<xs:field xpath="@rs5:AutoLaunch"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
<xs:attributeGroup ref="autoLaunch_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element ref="v3:GlobalProfile" minOccurs="0" maxOccurs="1"/>
<xs:element name="Config" type="config_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice>
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
</xs:choice>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
<xs:attribute ref="rs5:DisplayName" use="optional" />
</xs:complexType>
<xs:complexType name="group_t">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="groupType_t" use="required"/>
</xs:complexType>
<xs:complexType name="specialGroup_t">
<xs:attribute name="Name" type="specialGroupType_t" use="required"/>
</xs:complexType>
<xs:simpleType name="groupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="LocalGroup"/>
<xs:enumeration value="ActiveDirectoryGroup"/>
<xs:enumeration value="AzureActiveDirectoryGroup"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:sequence minOccurs="1">
<xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t"/>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t">
<xs:unique name="duplicateAutoLogonAccountForbidden">
<xs:selector xpath=".//default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>);
```
- Schema for features introduced in Windows 10, version 1809 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<xs:attribute name="ClassicAppPath" type="xs:string"/>
<xs:attribute name="ClassicAppArguments" type="xs:string"/>
<xs:element name="BreakoutSequence" type="BreakoutSequence_t" />
<xs:complexType name="BreakoutSequence_t">
<xs:attribute name="Key" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
```
- Schema for new features introduced in Windows 10 1809 release.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:complexType name="fileExplorerNamespaceRestrictions_t">
<xs:choice>
<xs:sequence minOccurs="0">
<xs:element name="AllowedNamespace" type="allowedFileExplorerNamespace_t" minOccurs="0"/>
<xs:element ref="v3:AllowRemovableDrives" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:element ref="v3:NoRestriction" minOccurs="0" maxOccurs="1" />
</xs:choice>
</xs:complexType>
<xs:complexType name="allowedFileExplorerNamespace_t">
<xs:attribute name="Name" type="allowedFileExplorerNamespaceValues_t" use="required"/>
</xs:complexType>
<xs:simpleType name="allowedFileExplorerNamespaceValues_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Downloads"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="FileExplorerNamespaceRestrictions" type="fileExplorerNamespaceRestrictions_t" />
<xs:attribute name="AutoLaunch" type="xs:boolean"/>
<xs:attribute name="AutoLaunchArguments" type="xs:string"/>
<xs:attribute name="DisplayName" type="xs:string"/>
</xs:schema>
```
- Schema for Windows 10 prerelease.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2020/config"
>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="globalProfile_t">
<xs:attribute name="Id" type="guid_t" />
</xs:complexType>
<xs:element name="AllowRemovableDrives"/>
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />
</xs:schema>
```
## AssignedAccessConfiguration examples
> [!NOTE]
> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
>
> ```xml
> <AssignedAccessConfiguration
> xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
> xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config"
> >
> <Profiles>
> <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
> <AllAppsList>
> <AllowedApps>
> <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" r1809:AutoLaunch="true" r1809:AutoLaunchArguments="1.txt"/>
> ...
> </AssignedAccessConfiguration>
> ```
- Example XML configuration for a multi-app kiosk for Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446).
> [!NOTE]
> This example demonstrates the use of StartPins and TaskbarLayout elements. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
>
> - StartPins element is used to pin apps to the Start menu and uses the [pinnedList JSON](/windows/configuration/customize-start-menu-layout-windows-11#get-the-pinnedlist-json) format.
> - TaskbarLayout element is used to pin apps to the taskbar and uses the [TaskbarLayoutModification XML](/windows/configuration/customize-taskbar-windows-11#create-the-xml-file) format.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
<App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />
<App DesktopAppPath="%SystemRoot%\system32\control.exe" />
<App DesktopAppPath="%SystemRoot%\system32\cmd.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />
<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\103.0.1264.62\identity_helper.exe" />
</AllowedApps>
</AllAppsList>
<v2:FileExplorerNamespaceRestrictions>
<v3:NoRestriction />
</v2:FileExplorerNamespaceRestrictions>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1"
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\Accessories\notepad.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\cmd.exe" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\control.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>]]>
</StartLayout>
<v5:StartPins>
<![CDATA[{
"pinnedList": [
{ "desktopAppId": "MSEdge" },
{ "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" },
{ "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" },
{ "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" }
]
}]]>
</v5:StartPins>
<Taskbar ShowTaskbar="true"/>
<v5:TaskbarLayout>
<![CDATA[<LayoutModificationTemplate xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>]]>
</v5:TaskbarLayout>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
- Example XML configuration for a multi-app kiosk for Windows 10.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
</details>
For practical examples of Assigned Access configuration files, see [Assigned Access examples](/windows/configuration/assigned-access/examples).
## Windows Holographic for Business edition example
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning).
```xml
<?xml version="1.0" encoding="utf-8" ?>
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
!!! NOTE: Change the Account below to a user in the tenant being tested !!!
-->
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<!-- Learning app -->
<App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
<!-- Calibration app -->
<App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
<!-- Feedback Hub -->
<App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
<!-- HoloSkype -->
<App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</AllowedApps>
</AllAppsList>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
AzureAD\ for AAD accounts. -->
<Config>
<Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## Handling XML in Configuration
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.

15
windows/configuration/assigned-access/index.md
View File

@ -110,4 +110,19 @@ These locations contain the latest "evaluated" configuration for each sign-in us
"HKCU\SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration" (If it doesn't exist, it means no Assigned Access to be enforced for this user.)
> [!WARNING]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!NOTE]
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!NOTE]
> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
> [!IMPORTANT]
> - You can't set both KioskModeApp and ShellLauncher at the same time on the device.
> [!NOTE]
> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
-->

8
windows/configuration/assigned-access/overview.md
View File

@ -18,8 +18,8 @@ Assigned Access is a Windows feature that you can use to configure a device as a
A single UWP application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it will automatically restart. Practical examples include:
- Digital signs
- Public web browsing kiosks
- Public browsing
- Interactive digital signage
This experience is sometimes referred to as *single-app kiosk*.
:::column-end:::
@ -30,13 +30,15 @@ Assigned Access is a Windows feature that you can use to configure a device as a
:::column-end:::
:::column span="3":::
#### Restricted user experience
Users can execute a defined list of applications, with a custom and locked down Start menu and Taskbar. Practical examples include:
Users can execute a defined list of applications, with a custom Start menu and Taskbar. Practical examples include:
- Frontline worker devices
- Student devices
- Lab devices
:::column-end:::
:::row-end:::
When applying an Assigned Access configuration to a device, different policy settings are enforced, creating a locked down experience to the users.
Assigned Access profiles only apply to non-admin accounts. When an administrator signs in, the Assigned Access restrictions don't apply.
## Configure a kiosk

2
windows/configuration/assigned-access/shell-launcher/index.md
View File

@ -36,7 +36,7 @@ Here are some limitations to consider when using Shell Launcher:
## Configure a device with Shell Launcher
To configure Shell Launcher, you must use the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher). The configuration of Shell Launcher is done using an XML file. The XML file is then applied to the device via the Assigned Access CSP, using one of the following options:
The configuration of Shell Launcher is done using an XML file. The XML file is applied to the device via the [Assigned Access CSP](/windows/client-management/mdm/assignedaccess-csp#shelllauncher), using one of the following options:
- A Mobile Device Management (MDM) solution, like Microsoft Intune
- Provisioning packages