updates

windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md

@@ -556,6 +556,7 @@ After the admin has completed setup, the kiosk account can sign in and repeat th
 
 There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
 
+<!--
 ## Policies set by multi-app kiosk configuration
 
 It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
@@ -567,33 +568,32 @@ When the multi-app assigned access configuration is applied on the device, certa
 The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
 
 | Setting | Value |
-| --- | --- |
-Remove access to the context menus for the task bar | Enabled
-Clear history of recently opened documents on exit |    Enabled
-Prevent users from customizing their Start Screen | Enabled
-Prevent users from uninstalling applications from Start |       Enabled
-Remove All Programs list from the Start menu |      Enabled
-Remove Run menu from Start Menu  |  Enabled
-Disable showing balloon notifications as toast |        Enabled
-Do not allow pinning items in Jump Lists |      Enabled
-Do not allow pinning programs to the Taskbar |      Enabled
-Do not display or track items in Jump Lists from remote locations |     Enabled
-Remove Notifications and Action Center |        Enabled
-Lock all taskbar settings |     Enabled
-Lock the Taskbar     |  Enabled
-Prevent users from adding or removing toolbars |        Enabled
-Prevent users from resizing the taskbar  |  Enabled
-Remove frequent programs list from the Start Menu |     Enabled
-Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled
-Remove the Security and Maintenance icon     |  Enabled
-Turn off all balloon notifications |        Enabled
-Turn off feature advertisement balloon notifications     |  Enabled
-Turn off toast notifications |      Enabled
-Remove Task Manager |       Enabled
-Remove Change Password option in Security Options UI |      Enabled
-Remove Sign Out option in Security Options UI    |  Enabled
-Remove All Programs list from the Start Menu     |  Enabled - Remove and disable setting
-Prevent access to drives from My Computer    |  Enabled - Restrict all drivers
+|--|--|
+| Remove access to the context menus for the task bar | Enabled |
+| Clear history of recently opened documents on exit | Enabled |
+| Prevent users from customizing their Start Screen | Enabled |
+| Prevent users from uninstalling applications from Start | Enabled |
+| Remove Run menu from Start Menu | Enabled |
+| Disable showing balloon notifications as toast | Enabled |
+| Do not allow pinning items in Jump Lists | Enabled |
+| Do not allow pinning programs to the Taskbar | Enabled |
+| Do not display or track items in Jump Lists from remote locations | Enabled |
+| Remove Notifications and Action Center | Enabled |
+| Lock all taskbar settings | Enabled |
+| Lock the Taskbar | Enabled |
+| Prevent users from adding or removing toolbars | Enabled |
+| Prevent users from resizing the taskbar | Enabled |
+| Remove frequent programs list from the Start Menu | Enabled |
+| Remove Pinned programs from the taskbar | Enabled |
+| Remove the Security and Maintenance icon | Enabled |
+| Turn off all balloon notifications | Enabled |
+| Turn off feature advertisement balloon notifications | Enabled |
+| Turn off toast notifications | Enabled |
+| Remove Task Manager | Enabled |
+| Remove Change Password option in Security Options UI | Enabled |
+| Remove Sign Out option in Security Options UI | Enabled |
+| Remove All Programs list from the Start Menu | Enabled - Remove and disable setting |
+| Prevent access to drives from My Computer | Enabled - Restrict all drives |
 
 > [!NOTE]
 > When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
@@ -622,6 +622,8 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
 [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)    | Configuration dependent   |   No
 [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui)   |   &lt;Enabled/&gt;    |   Yes
 
+-->
+
 ## Provision .lnk files using Windows Configuration Designer
 
 First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`

windows/configuration/kiosk/kiosk-policies.md

@@ -48,19 +48,29 @@ The following local policies affect all **non-administrator** users on the syste
 
 ## MDM policy
 
-Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact).
+
+Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system.
 
 | Setting | Value | System-wide |
 |--|--|--|
 | [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes |
+| [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| [Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
-| Start/HidePeopleBar | 1 - True (hide) | No |
+| [Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
+| Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No |
+| [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No |
 | [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes |
 | [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
 | [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
 | [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes |
 
-
 <!--
 ## Start Menu
 

windows/configuration/kiosk/quickstart-restricted-experience.md

@@ -68,15 +68,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 [!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
 
 ```powershell
-$eventLogFilterHashTable = @{
-    ProviderName = "Microsoft-Windows-AssignedAccess";
-    StartTime    = Get-Date -Millisecond 0
-}
-
-$namespaceName="root\cimv2\mdm\dmmap"
-$className="MDM_AssignedAccess"
-$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
+$assignedAccessConfiguration = @"
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
     xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
@@ -126,8 +118,17 @@ $obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
         </Config>
     </Configs>
 </AssignedAccessConfiguration>
-"@)
+"@
 
+$eventLogFilterHashTable = @{
+    ProviderName = "Microsoft-Windows-AssignedAccess";
+    StartTime    = Get-Date -Millisecond 0
+}
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
 $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
 if($cimSetError) {
     Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"