diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f3234c0e64..cae7712f27 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6566,6 +6566,21 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/kiosk-shared-pc.md", +"redirect_url": "/windows/configuration/kiosk-methods", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/setup-kiosk-digital-signage.md", +"redirect_url": "/windows/configuration/kiosk-single-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/multi-app-kiosk-xml.md", +"redirect_url": "/windows/configuration/kiosk-xml", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -6686,11 +6701,6 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/multi-app-kiosk-xml.md", -"redirect_url": "windows/configuration/kiosk-xml.md", -"redirect_document_id": true -}, -{ "source_path": "windows/configure/provisioning-uninstall-package.md", "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package", "redirect_document_id": true diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 6480fcac26..dad54fdffa 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,13 +1,20 @@ # [Configure Windows 10](index.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) -### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) +## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) +### [Prepare a device for kiosk configuration](kiosk-prepare.md) +### [Set up digital signs on Windows 10](setup-digital-signage.md) +### [Set up a single-app kiosk](kiosk-single-app.md) +### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) +### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Validate your kiosk configuration](kiosk-validate.md) +#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +#### [Policies enforced on kiosk devices](kiosk-policies.md) +#### [Assigned access XML reference](kiosk-xml.md) +#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) +#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) +#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 8fac2d4142..2407ef393e 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,14 +10,18 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/27/2018 +ms.date: 07/30/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## July 2018 +New or changed topic | Description +--- | --- +[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md). ## June 2018 @@ -70,7 +74,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update. -Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer. +Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer. ## February 2018 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 844295ad38..cde506630f 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,6 +1,6 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/31/2018 +ms.date: 07/30/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -55,7 +55,7 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr >[!NOTE] >If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). -#### Kiosk Browser settings +### Kiosk Browser settings Kiosk Browser settings | Use this setting to --- | --- diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG new file mode 100644 index 0000000000..cf74c646c7 Binary files /dev/null and b/windows/configuration/images/kiosk-desktop.PNG differ diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png new file mode 100644 index 0000000000..b096d6837d Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen-sm.png differ diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG new file mode 100644 index 0000000000..37ccd4f8a4 Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen.PNG differ diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG new file mode 100644 index 0000000000..2cbe25c6a5 Binary files /dev/null and b/windows/configuration/images/kiosk-intune.PNG differ diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG new file mode 100644 index 0000000000..51a4338371 Binary files /dev/null and b/windows/configuration/images/kiosk-settings.PNG differ diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png new file mode 100644 index 0000000000..160e170e5c Binary files /dev/null and b/windows/configuration/images/kiosk-wizard.png differ diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png new file mode 100644 index 0000000000..868ea31bb1 Binary files /dev/null and b/windows/configuration/images/kiosk.png differ diff --git a/windows/configuration/images/office-logo.png b/windows/configuration/images/office-logo.png new file mode 100644 index 0000000000..cd6d504301 Binary files /dev/null and b/windows/configuration/images/office-logo.png differ diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png new file mode 100644 index 0000000000..c2899361eb Binary files /dev/null and b/windows/configuration/images/set-assignedaccess.png differ diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG new file mode 100644 index 0000000000..d1386d4a0d Binary files /dev/null and b/windows/configuration/images/user.PNG differ diff --git a/windows/configuration/images/windows.png b/windows/configuration/images/windows.png new file mode 100644 index 0000000000..e3889eff6a Binary files /dev/null and b/windows/configuration/images/windows.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index 5ed671a894..11ec530a2c 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -22,7 +22,8 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | -| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md new file mode 100644 index 0000000000..1776738f55 --- /dev/null +++ b/windows/configuration/kiosk-additional-reference.md @@ -0,0 +1,37 @@ +--- +title: More kiosk methods and reference information (Windows 10) +description: Find more information for configuring, validating, and troubleshooting kiosk configuration. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# More kiosk methods and reference information + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + +## In this section + +Topic | Description +--- | --- +[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk. +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. +[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. +[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. +[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. + + + + diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md new file mode 100644 index 0000000000..542b9abf2e --- /dev/null +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -0,0 +1,86 @@ +--- +title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Use MDM Bridge WMI Provider to create a Windows 10 kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. + +Here’s an example to set AssignedAccess configuration: + +1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). +2. Run `psexec.exe -i -s cmd.exe`. +3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +4. Execute the following script: + +```ps +$nameSpaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = @" +<?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> +"@ + +Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md new file mode 100644 index 0000000000..a142517a28 --- /dev/null +++ b/windows/configuration/kiosk-methods.md @@ -0,0 +1,77 @@ +--- +title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) +description: Learn about the methods for configuring kiosks. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: jdeckerms +ms.date: 07/30/2018 +--- + +# Configure kiosks and digital signs on Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: + +| | | +--- | --- + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

A single-app kiosk is ideal for public use.

(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

A multi-app kiosk is appropriate for devices that are shared by multiple people.

When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +| | | +--- | --- +![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) +![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). +![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. +![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + + + +## Methods for a single-app kiosk running a UWP app + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user +[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a single-app kiosk running a Windows desktop application + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD +[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a multi-app kiosk + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD + +## Summary of kiosk configuration methods + +Method | App type | Account type | Single-app kiosk | Multi-app kiosk +--- | --- | --- | :---: | :---: +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X +[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X + + +>[!NOTE] +>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. + diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md new file mode 100644 index 0000000000..b6fe2acd42 --- /dev/null +++ b/windows/configuration/kiosk-policies.md @@ -0,0 +1,82 @@ +--- +title: Policies enforced on kiosk devices (Windows 10) +description: Learn about the policies enforced on a device when you configure it as a kiosk. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +ms.author: jdecker +--- + +# Policies enforced on kiosk devices + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. + + +## Group Policy + +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. + +| Setting | Value | +| --- | --- | +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled +Remove Pinned programs from the taskbar | Enabled +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers + +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy + + +Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). + +Setting | Value | System-wide + --- | --- | --- +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/HidePeopleBar | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md new file mode 100644 index 0000000000..a9fa30337a --- /dev/null +++ b/windows/configuration/kiosk-prepare.md @@ -0,0 +1,81 @@ +--- +title: Prepare a device for kiosk configuration (Windows 10) +description: Some tips for device settings on kiosks. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Prepare a device for kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +>[!WARNING] +>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. +> +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: + +Recommendation | How to +--- | --- +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

You must restart the device after changing the registry. +Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. +Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** +Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. +Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. +Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. + +>[!TIP] +>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. + + +**How to edit the registry to have an account sign in automatically** + +1. Open Registry Editor (regedit.exe). + + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. + + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. + +>[!TIP] +>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). + + + + + + + diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md deleted file mode 100644 index 4627f16d24..0000000000 --- a/windows/configuration/kiosk-shared-pc.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 08/08/2017 ---- - -# Configure kiosk and shared devices running Windows desktop editions - -Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | -| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | -| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md new file mode 100644 index 0000000000..b25eb4e96a --- /dev/null +++ b/windows/configuration/kiosk-shelllauncher.md @@ -0,0 +1,201 @@ +--- +title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Use Shell Launcher to create a Windows 10 kiosk + + +**Applies to** +>App type: Windows desktop application +> +>OS edition: Windows 10 Ent, Edu +> +>Account type: Local standard user or administrator, Active Directory, Azure AD + + +Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +>[!NOTE] +>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + +>[!WARNING] +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + +### Requirements + +- A domain or local user account. + +- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + + +### Configure Shell Launcher + +To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. + +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md new file mode 100644 index 0000000000..68dc1a807c --- /dev/null +++ b/windows/configuration/kiosk-single-app.md @@ -0,0 +1,244 @@ +--- +title: Set up a single-app kiosk (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Set up a single-app kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +| | | +--- | --- +A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) + +You have several options for configuring your single-app kiosk. + +Method | Description +--- | --- +[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. + + +>[!TIP] +>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + + + + +## Set up a kiosk in local Settings + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) + +![The Set up assigned access page in Settings](images/kiosk-settings.png) + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. + +2. Choose **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + + + + + + +## Set up a kiosk using Windows PowerShell + + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: + +1. Log in as administrator. +2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. +3. Log in as the Assigned Access user account. +4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. +5. Log out as the Assigned Access user account. +6. Log in as administrator. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +**Configure assigned access by AppUserModelID and user name** + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` +**Configure assigned access by AppUserModelID and user SID** + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` +**Configure assigned access by app name and user name** + +``` +Set-AssignedAccess -AppName -UserName +``` +**Configure assigned access by app name and user SID** + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + + +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer + +>App type: UWP or Windows desktop application +> +>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +> +>Account type: Local standard user, Active Directory + +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) + + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. + + +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. + + + + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ + +>[!NOTE] +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + + + + +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) + + + + + +  + + + +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service + +>App type: UWP +> +>OS edition: Windows 10 Pro (version 1709), Ent, Edu +> +>Account type: Local standard user, Azure AD + +![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. + +>[!TIP] +>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). + +The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. + +**To configure kiosk in Microsoft Intune** + +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Single app kiosk**. +1. Enter the user account (Azure AD or a local standard user account). +11. Enter the Application User Model ID for an installed app. +14. Select **OK**, and then select **Create**. +18. Assign the profile to a device group to configure the devices in that group as kiosks. + + + +## Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +  + + + diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md new file mode 100644 index 0000000000..d46cd63941 --- /dev/null +++ b/windows/configuration/kiosk-validate.md @@ -0,0 +1,94 @@ +--- +title: Validate kiosk configuration (Windows 10) +description: This topic explains what to expect on a multi-app kiosk. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Validate kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. + +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. + +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. + +>[!NOTE] +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. + +The following sections explain what to expect on a multi-app kiosk. + +### App launching and switching experience + +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. + +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. + +### Start changes + +When the assigned access user signs in, you should see a restricted Start experience: +- Start gets launched in full screen and prevents the end user from accessing the desktop. +- Start shows the layout aligned with what you defined in the multi-app configuration XML. +- Start prevents the end user from changing the tile layout. + - The user cannot resize, reposition, and unpin the tiles. + - The user cannot pin additional tiles on the start. +- Start hides **All Apps** list. +- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes + +If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: +- Disables context menu of Start button (Quick Link) +- Disables context menu of taskbar +- Prevents the end user from changing the taskbar +- Disables Cortana and Search Windows +- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings + +### Blocked hotkeys + +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. + +| Hotkey | Action | +| --- | --- | +| Windows logo key + A | Open Action center | +| Windows logo key + Shift + C | Open Cortana in listening mode | +| Windows logo key + D | Display and hide the desktop | +| Windows logo key + Alt + D | Display and hide the date and time on the desktop | +| Windows logo key + E | Open File Explorer | +| Windows logo key + F | Open Feedback Hub | +| Windows logo key + G | Open Game bar when a game is open | +| Windows logo key + I | Open Settings | +| Windows logo key + J | Set focus to a Windows tip when one is available. | +| Windows logo key + O | Lock device orientation | +| Windows logo key + Q | Open search | +| Windows logo key + R | Open the Run dialog box | +| Windows logo key + S | Open search | +| Windows logo key + X | Open the Quick Link menu | +| Windows logo key + comma (,) | Temporarily peek at the desktop | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + + + +### Locked-down Ctrl+Alt+Del screen + +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. + +### Auto-trigger touch keyboard + +In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. + + diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 74cdfe88e1..9be99277a6 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index de93d13008..876d2a663d 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 08/14/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A ## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. ## Use AppLocker to set rules for apps diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 8e3162d8d0..7793d23b83 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,5 +1,5 @@ --- -title: Create a Windows 10 kiosk that runs multiple apps (Windows 10) +title: Set up a multi-app kiosk (Windows 10) description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] @@ -9,29 +9,29 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- -# Create a Windows 10 kiosk that runs multiple apps +# Set up a multi-app kiosk **Applies to** - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: + +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: - Configure [a single-app kiosk profile](#profile) in your XML file. - Assign [group accounts to a config profile](#config-for-group-accounts). - Configure [an account to sign in automatically](#config-for-autologon-account). - -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). @@ -65,7 +65,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi >Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. - ## Configure a kiosk using a provisioning package Process: @@ -77,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites -- Windows Configuration Designer (Windows 10, version 1709) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +- Windows Configuration Designer (Windows 10, version 1709 or later) +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. @@ -161,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. @@ -479,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience -### Validate provisioning -- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration. -- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. @@ -496,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Use MDM Bridge WMI Provider to configure assigned access - -Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. - -Here’s an example to set AssignedAccess configuration: - -1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Execute the following script: - -```ps -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> -"@ - -Set-CimInstance -CimInstance $obj -``` - - -## Validate multi-app kiosk configuration - -Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. -- Start shows the layout aligned with what you defined in the multi-app configuration XML. -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. @@ -756,3 +614,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont - Under **CommandLine**, enter `cmd /c *FileName*.bat`. +## Other methods + +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index d77388e0cb..1628b1c866 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

-

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

+

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

-

Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

+

Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

[Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 0ee82de1b3..6857cf8aac 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 09/27/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -31,7 +31,7 @@ For example: **Troubleshooting steps** -1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). +1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 17162822c3..9979020ba7 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![step one](../images/one.png)![set up device](../images/set-up-device.png)

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

You can also select to remove pre-installed software from the device. ![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png) ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](../images/set-up-network-details-desktop.png) ![step three](../images/three.png) ![account management](../images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png) -![step four](../images/four.png) ![add applications](../images/add-applications.png)

You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) +![step four](../images/four.png) ![add applications](../images/add-applications.png)

You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](../images/add-certificates-details.png) ![finish](../images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](../images/finish-details.png) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index bacec7e70a..9f7712c5d3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -20,7 +20,7 @@ ms.date: 09/06/2017 - Windows 10 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Classic Windows apps +## Settings for Windows desktop applications ### MSI installer @@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate -## Add a Classic Windows app using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b05f6637ed..c0cbd3ed3f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) + - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4bbbf8ad10..2a331f5839 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard) diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md new file mode 100644 index 0000000000..c0fdbf85d4 --- /dev/null +++ b/windows/configuration/setup-digital-signage.md @@ -0,0 +1,87 @@ +--- +title: Set up digital signs on Windows 10 (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Set up digital signs on Windows 10 + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. + +For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. + +>[!TIP] +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. + +>[!NOTE] +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business). + + +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) +2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) +3. Open Windows Configuration Designer and select **Provision kiosk devices**. +4. Enter a friendly name for the project, and select **Finish**. +5. On **Set up device**, select **Disabled**, and select **Next**. +6. On **Set up network**, enable network setup. + - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. +7. On **Account management**, select **Disabled**, and select **Next**. +8. On **Add applications**, select **Add an application**. + - For **Application name**, enter `Kiosk Browser`. + - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. + - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. + - The **Package family name** is populated automatically. + - Select **Next**. +9. On **Add certificates**, select **Next**. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. + - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. + - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. + - For **App type**, select **Universal Windows App**. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. +11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. + - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. + - In **BlockedUrl**, enter `*`. + - In **DefaultUrl**, enter `https://www.contoso.com/menu`. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. +13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. +14. On the **Export** menu, select **Provisioning package**. +15. Change the **Owner** to **IT Admin**, and select **Next**. +16. On **Select security details for the provisioning package**, select **Next**. +17. On **Select where to save the provisioning package**, select **Next**. +18. On **Build the provisioning package**, select **Build**. +19. On the **All done!** screen, click the **Output location**. +20. Copy the .ppkg file to a USB drive. +21. Attach the USB drive to the device that you want to use for your digital sign. +22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md deleted file mode 100644 index f2f227fd8c..0000000000 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ /dev/null @@ -1,487 +0,0 @@ ---- -title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.localizationpriority: medium -ms.date: 06/05/2018 ---- - -# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 Pro, Enterprise, and Education - - - -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).) - - - -## Choose a method for configuring your kiosks and digitals signs - -**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart. - ->[!TIP] ->For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content. - -**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. - ->[!WARNING] ->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. -> ->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - -### Methods for kiosks and digital signs running a UWP app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user -[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory -[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD - -### Methods for kiosks and digital signs running a Classic Windows app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory -[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD - - - - - -### Other settings to lock down - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -Recommendation | How to ---- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

You must restart the device after changing the registry. -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - - -**How to edit the registry to have an account automatically logged on** - -1. Open Registry Editor (regedit.exe). - - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - ->[!TIP] ->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - - - -## Set up a kiosk or digital sign in local Settings - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) - -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - -## Set up a kiosk or digital sign using Windows PowerShell - - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - - -## Set up a kiosk or digital sign using a provisioning package - ->App type: UWP or Classic Windows -> ->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types -> ->Account type: Local standard user, Active Directory - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). - - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - - - - -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - - - - - - - - - - -
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
- - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - ->[!TIP] ->You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - -  - - - -## Set up a kiosk or digital sign in Intune or other MDM service - ->App type: UWP -> ->OS edition: Windows 10 Pro (version 1709), Ent, Edu -> ->Account type: Local standard user, Azure AD - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Enter a friendly name for the kiosk configuration. -10. Select **Kiosk - 1 setting available**. -10. Select **Add** to add a kiosk configuration. -10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**. -10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. -1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - - - -## Set up a kiosk or digital sign using Shell Launcher - ->App type: Classic Windows -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - ->[!NOTE] ->In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp). -> ->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). - ->[!WARNING] ->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. - -2. Expand **Device Lockdown**. - -2. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -  -## Related topics - -- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - - - diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index b1547d99cd..db8812512d 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 744ae6a3b6..0f63fc68e7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # ProvisioningCommands (Windows Configuration Designer reference) -Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. +Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. ## Applies to diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 2f7f8216e2..a9e588a6f8 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available ## ShellLauncher settings -Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). >[!WARNING] >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.