Remove assigned access example files

.openpublishing.redirection.windows-configuration.json

@@ -747,57 +747,57 @@
     },
     {
       "source_path": "windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md",
-      "redirect_url": "/windows/configuration/kiosk/create-xml",
+      "redirect_url": "/windows/configuration/assigned-access/configuration-file",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md",
-      "redirect_url": "/windows/configuration/kiosk/create-xml",
+      "redirect_url": "/windows/configuration/assigned-access/create-xml",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-additional-reference.md",
-      "redirect_url": "/windows/configuration/kiosk",
+      "redirect_url": "/windows/configuration/assigned-access",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-mdm-bridge.md",
-      "redirect_url": "/windows/configuration/kiosk/assigned-access-quickstart-kiosk",
+      "redirect_url": "/windows/configuration/assigned-access/quickstart-kiosk",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-policies.md",
-      "redirect_url": "/windows/configuration/kiosk/assigned-access-policy-settings",
+      "redirect_url": "/windows/configuration/assigned-access/policy-settings",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-shelllauncher.md",
-      "redirect_url": "/windows/configuration/kiosk/shell-launcher-configure",
+      "redirect_url": "/windows/configuration/assigned-access/shell-launcher",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-validate.md",
-      "redirect_url": "/windows/configuration/kiosk",
+      "redirect_url": "/windows/configuration/assigned-access/overview",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-xml.md",
-      "redirect_url": "/windows/configuration/kiosk/assigned-access-configuration-file",
+      "redirect_url": "/windows/configuration/assigned-access/configuration-file",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/setup-digital-signage.md",
-      "redirect_url": "/windows/configuration/kiosk/assigned-access-configure",
+      "redirect_url": "/windows/configuration/assigned-access/overview",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-single-app.md",
-      "redirect_url": "/windows/configuration/kiosk/assigned-access-configure",
+      "redirect_url": "/windows/configuration/assigned-access/overview",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/kiosk/kiosk-methods.md",
-      "redirect_url": "/windows/configuration/kiosk",
+      "redirect_url": "/windows/configuration/assigned-access",
       "redirect_document_id": false
     }
   ]

windows/configuration/assigned-access/configuration-file.md

@@ -8,7 +8,7 @@ appliesto:
 
 # Create an Assigned Access configuration XML file
 
-To configure Assigned Access, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Assigned Access XML Schema Definition (XSD)](assigned-access-xsd.md).
+To configure Assigned Access, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Assigned Access XML Schema Definition (XSD)](xsd.md).
 
 This article describes how to configure an Assigned Access configuration file, including practical examples.
 
@@ -583,4 +583,4 @@ Either don't use the node or leave it empty
 > [!div class="nextstepaction"]
 > Review some practical examples of Assigned Access XML configurations:
 >
-> [Assigned Access examples](assigned-access-examples.md)
+> [Assigned Access examples](examples.md)

windows/configuration/assigned-access/examples.md

@@ -13,22 +13,22 @@ This artcile contains examples of XML files to configure a device with Assigned
 
 To learn more:
 
-- [Create an Assigned Access configuration XML file](assigned-access-configuration-file.md).
+- [Create an Assigned Access configuration XML file](configuration-file.md).
-- [Assigned Access XML Schema Definition (XSD)](assigned-access-xsd.md).
+- [Assigned Access XML Schema Definition (XSD)](xsd.md).
 
 ## Kiosk experience with Microsoft Edge example
 
-[!INCLUDE [assigned-access-example-kiosk-edge](includes/assigned-access-example-kiosk-edge.md)]
+[!INCLUDE [example-kiosk-edge](includes/example-kiosk-edge.md)]
 
 ## Kiosk experience with UWP app example
 
-[!INCLUDE [assigned-access-example-kiosk-uwp](includes/assigned-access-example-kiosk-uwp.md)]
+[!INCLUDE [example-kiosk-uwp](includes/example-kiosk-uwp.md)]
 
 ::: zone pivot="windows-10"
 
 ## File Explorer restrictions example
 
-[!INCLUDE [assigned-access-example-file-explorer-restrictions](includes/assigned-access-example-file-explorer-restrictions.md)]
+[!INCLUDE [example-file-explorer-restrictions](includes/example-file-explorer-restrictions.md)]
 
 ::: zone-end
 
@@ -36,10 +36,10 @@ To learn more:
 
 The following configuration demonstrates that only a global profile is used, with no user configured.
 
-[!INCLUDE [assigned-access-example-global-profile](includes/assigned-access-example-global-profile.md)]
+[!INCLUDE [example-global-profile](includes/example-global-profile.md)]
 
 ## User Group example
 
 The following configuration demonstrates how to assign profiles to different users and groups, including a user configured to automatically sign in.
 
-[!INCLUDE [assigned-access-example-usergroup](includes/assigned-access-example-usergroup.md)]
+[!INCLUDE [example-usergroup](includes/example-usergroup.md)]

windows/configuration/assigned-access/guidelines-for-assigned-access-app.md

@@ -1,146 +0,0 @@
----
-title: Guidelines for choosing an app for assigned access
-description: The following guidelines may help you choose an appropriate Windows app for your Assigned Access experience.
-ms.topic: concept-article
-ms.date: 02/26/2024
----
-
-# Guidelines for choosing an app for Assigned Access (kiosk experience)
-
-Use Assigned Access to restrict users to use only one application, so that the device acts like a kiosk. Administrators can use Assigned Access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
-
-The following guidelines may help you choose an appropriate Windows app for your Assigned Access experience.
-
-## General guidelines
-
-- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
-- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the Assigned Access settings to launch the updated app, because Assigned Access uses the AUMID to determine which app to launch.
-- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
-
-## Guidelines for Windows apps that launch other apps
-
-Some apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
-
-Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
-
-## Guidelines for web browsers
-
-Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
-
-In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
-
->[!NOTE]
->Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
->
->Kiosk Browser can't access intranet websites.
-
-**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
-
-1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
-1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
-1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
-
->[!NOTE]
->If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
-
-### Kiosk Browser settings
-
-| Kiosk Browser settings | Use this setting to |
-|--|--|
-| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. |
-| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
-| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
-| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. |
-| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
-| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
-| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
-
-To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
-
-1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer
-1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18)
-1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com)
-1. Save the XML file
-1. Open the project again in Windows Configuration Designer
-1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed
-
-> [!TIP]
->
-> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
->
-> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
-> - Data type: Integer
-> - Value: 1
-
-#### Rules for URLs in Kiosk Browser settings
-
-Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
-
-URLs can include:
-
-- A valid port value from 1 to 65,535.
-- The path to the resource.
-- Query parameters.
-
-More guidelines for URLs:
-
-- If a period precedes the host, the policy filters exact host matches only
-- You can't use user:pass fields
-- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence
-- The policy searches wildcards (*) last
-- The optional query is a set of key-value and key-only tokens delimited by '&'
-- Key-value tokens are separated by '='
-- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching
-
-### Examples of blocked URLs and exceptions
-
-The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
-
-| Blocked URL rule | Block URL exception rule | Result |
-|--|--|--|
-| `*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. |
-| `contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. |
-| `youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). |
-
-The following table gives examples for blocked URLs.
-
-| Entry | Result |
-|--|--|
-| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
-| `https://*` | Blocks all HTTPS requests to any domain. |
-| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
-| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
-| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
-| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
-| `*:8080` | Blocks all requests to port 8080. |
-| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
-| `192.168.1.2` | Blocks requests to 192.168.1.1. |
-| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
-
-### Other browsers
-
-You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
-
-- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
-- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
-- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
-
-## Secure your information
-
-Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
-
-## App configuration
-
-Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote will open in assigned access.
-
-Check the guidelines published by your selected app and set up accordingly.
-
-## Develop your kiosk app
-
-Assigned access in Windows client uses the new lock framework. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
-
-Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
-
-## Test your Assigned Access experience
-
-The above guidelines may help you select or develop an appropriate Windows app for your Assigned Access experience. Once you've selected your app, we recommend that you thoroughly test the Assigned Access experience to ensure that your device provides a good customer experience.

windows/configuration/assigned-access/includes/quickstart-shell-launcher-xml.md

@@ -1,35 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 02/05/2024
-ms.topic: include
----
-
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-<ShellLauncherConfiguration
-xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
-xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
-    <Profiles>
-        <DefaultProfile>
-            <Shell Shell="%SystemRoot%\explorer.exe"/>
-        </DefaultProfile>
-        <Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
-            <Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe --kiosk https://www.contoso.com --edge-kiosk-type=fullscreen --kiosk-idle-timeout-minutes=2" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
-                <ReturnCodeActions>
-                    <ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
-                    <ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
-                    <ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
-                </ReturnCodeActions>
-                <DefaultAction Action="RestartShell"/>
-            </Shell>
-        </Profile>
-    </Profiles>
-    <Configs>
-        <Config>
-            <AutoLogonAccount/>
-            <Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}"/>
-        </Config>
-    </Configs>
-</ShellLauncherConfiguration>
-```

windows/configuration/assigned-access/index.md

@@ -43,14 +43,14 @@ To configure a restricted user experience you use a feature called **Assgined Ac
 Carefully evaluate all applications that users should use. If applications require user authentication, don't use a local or generic
 user account. Rather, target the group of users within the Assigned Access configuration file.
 
-A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device.
+A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, certain policy settings that affects **all** non-administrator users on the device. For a list of these policies, see [Assigned Access policy settings](policy-settings.md)
 
 Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
 
 There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
 
 - **Which type of app will your kiosk run?**
-  Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
+  Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-app.md)
 - **Which type of kiosk do you need?**
   If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a Windows desktop application. For a kiosk that people can sign in to with their accounts or that runs more than one app, choose a multi-app kiosk
 - **Which edition of Windows client will the kiosk run?**

windows/configuration/assigned-access/overview.md

@@ -72,7 +72,7 @@ Here are the steps to configure a kiosk using the Settings app:
     >[!NOTE]
     >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
 
-1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
+1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
 
     - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
     - Which URL should be open when the kiosk accounts signs in
@@ -144,7 +144,7 @@ You can configure devices using a [custom policy][MEM-1] with the [AssignedAcces
 - **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-kiosk-xml](includes/assigned-access-quickstart-kiosk-xml.md)]
+[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)]
 
 #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -153,7 +153,7 @@ You can configure devices using a [custom policy][MEM-1] with the [AssignedAcces
 - **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-kiosk-xmll](includes/assigned-access-quickstart-kiosk-xml.md)]
+[!INCLUDE [quickstart-kiosk-xmll](includes/quickstart-kiosk-xml.md)]
 
 [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
 
@@ -289,14 +289,14 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
 An Assigned Access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk.
 
 > [!WARNING]
-> The Assigned Access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policy settings](assigned-access-policy-settings.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the Assigned Access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+> The Assigned Access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policy settings](policy-settings.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the Assigned Access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
 
 > [!TIP]
 > Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 ### Provisioning package
 
-Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](assigned-access-xsd.md).
+Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](xsd.md).
 
 Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md).
 
@@ -372,7 +372,7 @@ To test the kiosk, sign in with the Assigned Access user account you specified i
 >[!NOTE]
 >The kiosk configuration setting will take effect the next time the Assigned Access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
 
-When Assigned Access is configured, different policy settings are applied to the device to provide a secured, locked-down experience. For more information, see [assigned-access-policy-settings](assigned-access-policy-settings.md).
+When Assigned Access is configured, different policy settings are applied to the device to provide a secured, locked-down experience. For more information, see [policy-settings](policy-settings.md).
 
 Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
 
@@ -423,3 +423,147 @@ For desktop apps,
 
 3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
 -->
+
+<!--
+
+# Guidelines for choosing an app for Assigned Access (kiosk experience)
+
+Use Assigned Access to restrict users to use only one application, so that the device acts like a kiosk. Administrators can use Assigned Access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
+
+The following guidelines may help you choose an appropriate Windows app for your Assigned Access experience.
+
+## General guidelines
+
+- Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps).
+- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the Assigned Access settings to launch the updated app, because Assigned Access uses the AUMID to determine which app to launch.
+- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps.
+
+## Guidelines for Windows apps that launch other apps
+
+Some apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
+
+Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
+
+## Guidelines for web browsers
+
+Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+
+In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website.
+
+>[!NOTE]
+>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
+>
+>Kiosk Browser can't access intranet websites.
+
+**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
+
+1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
+1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
+1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
+
+>[!NOTE]
+>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
+
+### Kiosk Browser settings
+
+| Kiosk Browser settings | Use this setting to |
+|--|--|
+| Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. |
+| Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. |
+| Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. |
+| Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. |
+| Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. |
+| Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. |
+| Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. |
+
+To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+
+1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer
+1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18)
+1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com)
+1. Save the XML file
+1. Open the project again in Windows Configuration Designer
+1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed
+
+> [!TIP]
+>
+> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information:
+>
+> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
+> - Data type: Integer
+> - Value: 1
+
+#### Rules for URLs in Kiosk Browser settings
+
+Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
+
+URLs can include:
+
+- A valid port value from 1 to 65,535.
+- The path to the resource.
+- Query parameters.
+
+More guidelines for URLs:
+
+- If a period precedes the host, the policy filters exact host matches only
+- You can't use user:pass fields
+- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence
+- The policy searches wildcards (*) last
+- The optional query is a set of key-value and key-only tokens delimited by '&'
+- Key-value tokens are separated by '='
+- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching
+
+### Examples of blocked URLs and exceptions
+
+The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
+
+| Blocked URL rule | Block URL exception rule | Result |
+|--|--|--|
+| `*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. |
+| `contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. |
+| `youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). |
+
+The following table gives examples for blocked URLs.
+
+| Entry | Result |
+|--|--|
+| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
+| `https://*` | Blocks all HTTPS requests to any domain. |
+| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
+| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. |
+| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. |
+| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
+| `*:8080` | Blocks all requests to port 8080. |
+| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
+| `192.168.1.2` | Blocks requests to 192.168.1.1. |
+| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
+
+### Other browsers
+
+You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
+
+- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
+- [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView)
+- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
+
+## Secure your information
+
+Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
+
+## App configuration
+
+Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the Assigned Access user account before OneNote will open in assigned access.
+
+Check the guidelines published by your selected app and set up accordingly.
+
+## Develop your kiosk app
+
+Assigned access in Windows client uses the new lock framework. When an Assigned Access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
+
+Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
+
+## Test your Assigned Access experience
+
+The above guidelines may help you select or develop an appropriate Windows app for your Assigned Access experience. Once you've selected your app, we recommend that you thoroughly test the Assigned Access experience to ensure that your device provides a good customer experience.
+
+>

windows/configuration/assigned-access/quickstart-kiosk.md

@@ -42,7 +42,7 @@ Here are the steps to configure a kiosk using the Settings app:
     >[!NOTE]
     >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
 
-1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
+1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
 
     - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
     - Which URL should be open when the kiosk accounts signs in
@@ -59,7 +59,7 @@ Here are the steps to configure a kiosk using the Settings app:
 >
 > When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
 
-[!INCLUDE [assigned-access-quickstart-kiosk-intune](includes/assigned-access-quickstart-kiosk-intune.md)]
+[!INCLUDE [quickstart-kiosk-intune](includes/quickstart-kiosk-intune.md)]
 
 [!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
 
@@ -68,7 +68,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 - **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-kiosk-xml](includes/assigned-access-quickstart-kiosk-xml.md)]
+[!INCLUDE [quickstart-kiosk-xml](includes/quickstart-kiosk-xml.md)]
 
 #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -77,7 +77,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 - **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-kiosk-xmll](includes/assigned-access-quickstart-kiosk-xml.md)]
+[!INCLUDE [quickstart-kiosk-xmll](includes/quickstart-kiosk-xml.md)]
 
 [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
 
@@ -85,7 +85,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 
 [!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
 
-[!INCLUDE [assigned-access-quickstart-kiosk-ps](includes/assigned-access-quickstart-kiosk-ps.md)]
+[!INCLUDE [quickstart-kiosk-ps](includes/quickstart-kiosk-ps.md)]
 
 [!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
 
@@ -98,9 +98,9 @@ After the settings are applied, reboot the device. A local user account is autom
 ## Next steps
 
 > [!div class="nextstepaction"]
-> Learn more how to configure Windows to run a single app or multiple apps with Assigned Access:
+> Learn more about Assigned Access and how to configure it:
 >
-> [Configure Assigned Access](assigned-access-configure.md)
+> [Assigned Access overview](overview.md)
 
 <!--links-->
 

windows/configuration/assigned-access/quickstart-restricted-user-experience.md

@@ -36,7 +36,7 @@ The examples can be modified to fit your specific requirements. For example, you
 >
 > When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
 
-[!INCLUDE [assigned-access-quickstart-restricted-experience-intune.md](includes/assigned-access-quickstart-restricted-experience-intune.md)]
+[!INCLUDE [quickstart-restricted-experience-intune.md](includes/quickstart-restricted-experience-intune.md)]
 
 [!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
 
@@ -45,7 +45,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 - **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-restricted-experience-xml.md](includes/assigned-access-quickstart-restricted-experience-xml.md)]
+[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)]
 
 #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -54,7 +54,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 - **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
 - **Value:**
 
-[!INCLUDE [assigned-access-quickstart-restricted-experience-xml.md](includes/assigned-access-quickstart-restricted-experience-xml.md)]
+[!INCLUDE [quickstart-restricted-experience-xml.md](includes/quickstart-restricted-experience-xml.md)]
 
 [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
 
@@ -62,7 +62,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 
 [!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
 
-[!INCLUDE [assigned-access-quickstart-restricted-experience-ps.md](includes/assigned-access-quickstart-restricted-experience-ps.md)]
+[!INCLUDE [quickstart-restricted-experience-ps.md](includes/quickstart-restricted-experience-ps.md)]
 
 [!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
 
@@ -85,9 +85,9 @@ After the settings are applied, reboot the device. A local user account is autom
 ## Next steps
 
 > [!div class="nextstepaction"]
-> Learn more how to configure Windows to run a single app or multiple apps with Assigned Access:
+> Learn more about Assigned Access and how to configure it:
 >
-> [Configure Assigned Access](assigned-access-configure.md)
+> [Assigned Access overview](overview.md)
 
 <!--links-->
 

windows/configuration/assigned-access/recommendations.md

@@ -1,11 +1,11 @@
 ---
-title: Prepare a device for kiosk configuration
+title: Assigned Access recommendations
-description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
+description: Learn about the recommended kiosk and restricted useer experience configuration options.
 ms.topic: article
-ms.date: 12/31/2017
+ms.date: 2/29/2024
 ---
 
-# Prepare a device for kiosk configuration
+# Assigned Access recommendations
 
 ## Before you begin
 
@@ -174,7 +174,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
+:::image type="content" source="images/enable-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
 
 ## Automatic logon
 

windows/configuration/assigned-access/shell-launcher/configuration-file.md

@@ -191,7 +191,7 @@ Allowed values are `Desktop` and `UWP`.
 
 ## Kiosk example
 
-[!INCLUDE [shell-launcher-quickstart-xml](includes/shell-launcher-quickstart-xml.md)]
+[!INCLUDE [quickstart-xml](..includes/quickstart-xml.md)]
 
 
 

windows/configuration/assigned-access/shell-launcher/index.md

@@ -22,13 +22,7 @@ Methods of controlling access to other desktop applications and system component
 - Group policy (GPO)
 - [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)
 
-## Windows edition requirements
+[!INCLUDE [shell-launcher](../../../..includes/licensing/shell-launcher.md)]
-
-The following table lists the Windows editions that support Shell Launcher:
-
-|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:---:|:---:|:---:|:---:|
-|No|Yes|No|Yes|
 
 ## Limitations
 
@@ -39,7 +33,7 @@ Here are some limitations to consider when using Shell Launcher:
 
 ## Configure a device with Shell Launcher
 
-[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+[!INCLUDE [tab-intro](../../../..includes/configure/tab-intro.md)]
 
 #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
 

windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md

@@ -24,7 +24,7 @@ The examples can be modified to fit your specific requirements. For example, you
 
 ## Configure a kiosk device
 
-[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+[!INCLUDE [tab-intro](../../../..includes/configure/tab-intro.md)]
 
 #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
 
@@ -33,24 +33,24 @@ The examples can be modified to fit your specific requirements. For example, you
 >
 > When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
 
-[!INCLUDE [shell-launcher-quickstart-intune](includes/shell-launcher-quickstart-intune.md)]
+[!INCLUDE [quickstart-intune](..includes/quickstart-intune.md)]
 
-[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-2](../../../..includes/configure/intune-custom-settings-2.md)]
 
 Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
 
 - **Setting:** `./Vendor/MSFT/AssignedAccess/ShellLauncher`
 - **Value:**
 
-[!INCLUDE [quickstart-shell-launcher-xml](includes/quickstart-shell-launcher-xml.md)]
+[!INCLUDE [quickstart-xml](..includes/quickstart-xml.md)]
 
 #### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
 
-[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+[!INCLUDE [powershell-wmi-bridge-1](../../../..includes/configure/powershell-wmi-bridge-1.md)]
 
-[!INCLUDE [shell-launcher-quickstart-ps](includes/shell-launcher-quickstart-ps.md)]
+[!INCLUDE [quickstart-ps](..includes/quickstart-ps.md)]
 
-[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+[!INCLUDE [powershell-wmi-bridge-2](../../../..includes/configure/powershell-wmi-bridge-2.md)]
 
 ---
 
@@ -63,7 +63,7 @@ After the settings are applied, reboot the device. A local user account is autom
 > [!div class="nextstepaction"]
 > Learn more how to create a Shell Launcher configuration file:
 >
-> [Create a Shell Launcher configuration file](create-shell-launcher-configuration.md)
+> [Create a Shell Launcher configuration file](create-configuration.md)
 
 <!--links-->
 

windows/configuration/assigned-access/shell-launcher/toc.yml

@@ -0,0 +1,9 @@
+items:
+- name: What is Shell Launcher?
+  href: index.md
+- name: "Quickstart: Configure a kiosk with Shell Launcher"
+  href: quickstart-kiosk.md
+- name: Create a Shell Launcher configuration file
+  href: configuration-file.md
+- name: Shell Launcher XSD
+  href: xsd.md

windows/configuration/assigned-access/toc.yml

@@ -4,41 +4,29 @@ items:
 - name: Assigned Access
   items:
   - name: What is Assigned Access?
-    href: assigned-access-overview.md
+    href: overview.md
   - name: Quickstarts
     items:
       - name: Configure a kiosk with Assigned Access
-        href: assigned-access-quickstart-kiosk.md
+        href: quickstart-kiosk.md
       - name: Configure a restricted user experience with Assigned Access
-        href: assigned-access-quickstart-restricted-experience.md
+        href: quickstart-restricted-user-experience.md
-  - name: Concepts
-    items:
-      - name: Guidelines for choosing an app for assigned access
-        href: guidelines-for-assigned-access-app.md
   - name: How-to guides
     items:
       - name: Create an Assigned Access configuration file
-        href: assigned-access-configuration-file.md
+        href: configuration-file.md
       - name: Prepare a device for kiosk configuration
         href: kiosk-prepare.md
   - name: Reference
     items:
       - name: Assigned Access XSD
-        href: assigned-access-xsd.md
+        href: xsd.md
       - name: Assigned Access XML examples
-        href: assigned-access-examples.md
+        href: examples.md
       - name: Assigned Access policy settings
-        href: assigned-access-policy-settings.md
+        href: policy-settings.md
 - name: Shell Launcher
-  items:
+  href: shell-launcher/toc.yml
-  - name: What is Shell Launcher?
-    href: shell-launcher-overview.md
-  - name: "Quickstart: Configure a kiosk with Shell Launcher"
-    href: shell-launcher-quickstart-kiosk.md
-  - name: Create a Shell Launcher configuration file
-    href: shell-launcher-configuration-file.md
-  - name: Shell Launcher XSD
-    href: shell-launcher-xsd.md
 - name: Assigned Access CSP 🔗
   href: /windows/client-management/mdm/assignedaccess-csp
 - name: Troubleshoot 🔗