Remove StartPins from Assigned Access configuration

2025-05-12 13:27:23 +00:00 · 2024-03-01 08:31:03 -05:00 · 2024-03-01 08:31:03 -05:00 · 8fe24319e8
commit 8fe24319e8
parent b178871ae4
6 changed files with 88 additions and 20 deletions
--- a/windows/configuration/assigned-access/configuration-file.md
+++ b/windows/configuration/assigned-access/configuration-file.md
@ -38,6 +38,43 @@ Here's a basic example of an Assigned Access configuration file, with one profil
 </AssignedAccessConfiguration>
 ```

+## Versioning
+
+The Assigned Access configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces:
+
+| Version | Alias | Namespace |
+|-|-|-|
+|Windows 11, version 22H2|v5|http://schemas.microsoft.com/AssignedAccess/2022/config|
+|Windows 11, version 21H2|v4|http://schemas.microsoft.com/AssignedAccess/2021/config|
+|Windows 10|v5|http://schemas.microsoft.com/AssignedAccess/202010/config|
+|Windows 10|v3|http://schemas.microsoft.com/AssignedAccess/2020/config|
+|Windows 10|rs5|http://schemas.microsoft.com/AssignedAccess/201810/config|
+|Windows 10|default|http://schemas.microsoft.com/AssignedAccess/2017/config|
+
+To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the `StartPins` feature that was added in Windows 11, version 22H2, use the below example. Notice the alias `v5` associated to the `http://schemas.microsoft.com/AssignedAccess/2022/config` namespace for 22H2 release, and the alias is tagged on `StartPins` inline.
+
+```xml
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
+    <Profiles>
+        <Profile Id="{GUID}">
+            <!-- Add configuration here as needed -->
+            <v5:StartPins>
+              <!-- Add StartPins configuration here -->
+            </v5:StartPins>
+        </Profile>
+    </Profiles>
+    <Configs>
+        <Config>
+            <!-- Add configuration here as needed -->
+        </Config>
+    </Configs>
+</AssignedAccessConfiguration>
+```
+
+Here you can find the Assigned Access XML schema definitions: [Assigned Access XML Schema Definition (XSD)](xsd.md).
+
 ## Profiles

 A configuration file can contain one or more profiles. Each profile is identified by a unique identified `Profile Id`, for example:
@ -582,4 +619,9 @@ Either don't use the node or leave it empty
 > [!div class="nextstepaction"]
 > Review some practical examples of Assigned Access XML configurations:
 >
-> [Assigned Access examples](examples.md)
+> [Assigned Access examples](examples.md)
+
+
+<!--
+> [!IMPORTANT]
+> - You can't set both KioskModeApp and ShellLauncher at the same time on the device.
--- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
+++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
@ -146,7 +146,6 @@ $assignedAccessConfiguration = @"
                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
                    ]
                }]]>
-            </v5:StartPins>
            <Taskbar ShowTaskbar="true"/>
        </Profile>
    </Profiles>
--- a/windows/configuration/assigned-access/index.md
+++ b/windows/configuration/assigned-access/index.md
@ -117,12 +117,7 @@ These locations contain the latest "evaluated" configuration for each sign-in us
 > [!NOTE]
 > If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.

-> [!NOTE]
-> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).

-> [!IMPORTANT]
-> - You can't set both KioskModeApp and ShellLauncher at the same time on the device.

-> [!NOTE]
-> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+
 -->
--- a/windows/configuration/assigned-access/overview.md
+++ b/windows/configuration/assigned-access/overview.md
@ -565,4 +565,6 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce

 The above guidelines may help you select or develop an appropriate Windows app for your Assigned Access experience. Once you've selected your app, we recommend that you thoroughly test the Assigned Access experience to ensure that your device provides a good customer experience.

->
+
+> [!NOTE]
+> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout).
--- a/windows/configuration/assigned-access/shell-launcher/configuration-file.md
+++ b/windows/configuration/assigned-access/shell-launcher/configuration-file.md
@ -7,7 +7,7 @@ ms.topic: how-to

 # Create a Shell Launcher configuration file

-To configure Shell Launcher, you must create and apply a configuration XML file to your devices. The configuration file must conform to a schema, as defined in [Shell Launcher XML Schema Definition (XSD)](xsd.md).
+To configure Shell Launcher, you must create and apply a configuration XML file to your devices. The configuration file must conform to a *schema*, as defined in [Shell Launcher XML Schema Definition (XSD)](xsd.md).

 This article describes how to configure a Shell Launcher configuration file, including practical examples.

@ -41,6 +41,38 @@ Here's a basic example of a Shell Launcher configuration file, with one profile
 </ShellLauncherConfiguration>
 ```

+## Versioning
+
+The Shell Launcher configuration XML is versioned. The version is defined in the XML root element, and it's used to determine which schema to use to validate the XML file. The version is also used to determine which features are available for the configuration. Here's a table of the versions, aliases used in the documentation examples, and namespaces:
+
+| Version | Alias | Namespace |
+|-|-|-|
+|Windows 10|V2|http://schemas.microsoft.com/ShellLauncher/2019/Configuration|
+|Windows 10|default|http://schemas.microsoft.com/ShellLauncher/2018/Configuration|
+
+To authorize a compatible configuration XML that includes version-specific elements and attributes, always include the namespace of the add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the kiosk application to execute in full screen, use the below example. Notice the alias `V2` associated to `http://schemas.microsoft.com/ShellLauncher/2019/Configuration` namespace, and the alias is tagged on the `AppType` and `AllAppsFullScreen` properties inline.
+
+```xml
+<?xml version="1.0" encoding="utf-8" ?>
+<ShellLauncherConfiguration
+  xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
+  xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
+  <Profiles>
+    <Profile Id="{GUID}">
+      <!-- Add configuration here as needed -->
+      <Shell Shell="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" V2:AppType="Desktop" V2:AllAppsFullScreen="true">
+    </Profile>
+  </Profiles>
+  <Configs>
+    <Config>
+      <!-- Add configuration here as needed -->
+    </Config>
+  </Configs>
+</ShellLauncherConfiguration>
+```
+
+Here you can find the [Shell Launcher XML Schema Definitions (XSDs)](xsd.md).
+
 ## Profiles

 A configuration file can contain one or more profiles. Each profile has a unique identifier `Profile Id` and, optionally, a `Name`. For example:
@ -115,16 +147,14 @@ In the next example, Microsoft Edge is executed in full screen, opening a websit

 #### ReturnCodeActions

-Shell Launcher defines four actions to handle app exits. You can customize Shell Launcher and use the actions based on different exit code.
+Shell Launcher defines four actions to handle app exits. You can customize Shell Launcher and use the actions based on different exit code. Here are the `ReturnCodeActions` enums:

-| Value | Description |
-|--|--|
-| `0` | Restart the shell |
-| `1` | Restart the device |
-| `2` | Shut down the device |
-| `3` | Do nothing |
+- `RestartShell`
+- `RestartDevice`
+- `ShutdownDevice`
+- `DoNothing`

-These actions can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to learn how to use these codes with Shell Launcher WMI.
+The actions can be used as default action, or mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to learn how to use exit codes with Shell Launcher WMI.

 You can specify at most four custom actions mapping to four exit codes, and one default action for all other exit codes. When an app exits, and if the exit code isn't found in the custom action mapping, or there's no default action defined, nothing happens. For this reason, you should at least define `DefaultAction`.

--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ b/windows/configuration/assigned-access/shell-launcher/index.md
@ -17,13 +17,13 @@ Practical examples include:

 Shell Launcher controls which application the user sees as the shell after sign-in. It doesn't prevent the user from accessing other desktop applications and system components. From a custom shell, you can launch secondary views displayed on multiple monitors, or launch other apps in full screen on user's demand.

-Methods of controlling access to other desktop applications and system components can be used with Shell Launcher. These methods include, but are not limited to:
+With Shell Launcher you can use features and methods to control access to other applications or system components. These methods include, but are not limited to:

 - Configuration Service Provider (CSP): you can use a Mobile Device Management (MDM) solution like Microsoft Intune
 - Group policy (GPO)
 - [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)

-Shell Launcher is part of the [Assigned Access](../overview.md) feature, which you can use to set up a kiosk device or a restricted user experience. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Configure kiosks and restricted user experiences](../index.md).
+Shell Launcher is part of the [Assigned Access](../overview.md) feature, which allows you to configure kiosks or a restricted user experiences. To learn about the differences between Shell Launcher and the other options offered by Assigned Access, see [Configure kiosks and restricted user experiences](../index.md).

 [!INCLUDE [shell-launcher](../../../../includes/licensing/shell-launcher.md)]