updates

2025-06-16 02:43:43 +00:00 · 2024-02-13 13:52:49 +01:00
parent cbc455fcc5
commit 9a7f4215ef
3 changed files with 53 additions and 40 deletions
--- a/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/kiosk/_lock-down-windows-10-to-specific-apps.md
@ -556,6 +556,7 @@ After the admin has completed setup, the kiosk account can sign in and repeat th
 There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
 <!--
 ## Policies set by multi-app kiosk configuration
 It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
@ -567,33 +568,32 @@ When the multi-app assigned access configuration is applied on the device, certa
 The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
 | Setting | Value |
-| --- | --- |
+|--|--|
-Remove access to the context menus for the task bar | Enabled
+| Remove access to the context menus for the task bar | Enabled |
-Clear history of recently opened documents on exit |    Enabled
+| Clear history of recently opened documents on exit | Enabled |
-Prevent users from customizing their Start Screen | Enabled
+| Prevent users from customizing their Start Screen | Enabled |
-Prevent users from uninstalling applications from Start |       Enabled
+| Prevent users from uninstalling applications from Start | Enabled |
-Remove All Programs list from the Start menu |      Enabled
+| Remove Run menu from Start Menu | Enabled |
-Remove Run menu from Start Menu  |  Enabled
+| Disable showing balloon notifications as toast | Enabled |
-Disable showing balloon notifications as toast |        Enabled
+| Do not allow pinning items in Jump Lists | Enabled |
-Do not allow pinning items in Jump Lists |      Enabled
+| Do not allow pinning programs to the Taskbar | Enabled |
-Do not allow pinning programs to the Taskbar |      Enabled
+| Do not display or track items in Jump Lists from remote locations | Enabled |
-Do not display or track items in Jump Lists from remote locations |     Enabled
+| Remove Notifications and Action Center | Enabled |
-Remove Notifications and Action Center |        Enabled
+| Lock all taskbar settings | Enabled |
-Lock all taskbar settings |     Enabled
+| Lock the Taskbar | Enabled |
-Lock the Taskbar     |  Enabled
+| Prevent users from adding or removing toolbars | Enabled |
-Prevent users from adding or removing toolbars |        Enabled
+| Prevent users from resizing the taskbar | Enabled |
-Prevent users from resizing the taskbar  |  Enabled
+| Remove frequent programs list from the Start Menu | Enabled |
-Remove frequent programs list from the Start Menu |     Enabled
+| Remove Pinned programs from the taskbar | Enabled |
-Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled
+| Remove the Security and Maintenance icon | Enabled |
-Remove the Security and Maintenance icon     |  Enabled
+| Turn off all balloon notifications | Enabled |
-Turn off all balloon notifications |        Enabled
+| Turn off feature advertisement balloon notifications | Enabled |
-Turn off feature advertisement balloon notifications     |  Enabled
+| Turn off toast notifications | Enabled |
-Turn off toast notifications |      Enabled
+| Remove Task Manager | Enabled |
-Remove Task Manager |       Enabled
+| Remove Change Password option in Security Options UI | Enabled |
-Remove Change Password option in Security Options UI |      Enabled
+| Remove Sign Out option in Security Options UI | Enabled |
-Remove Sign Out option in Security Options UI    |  Enabled
+| Remove All Programs list from the Start Menu | Enabled - Remove and disable setting |
-Remove All Programs list from the Start Menu     |  Enabled - Remove and disable setting
+| Prevent access to drives from My Computer | Enabled - Restrict all drives |
 Prevent access to drives from My Computer    |  Enabled - Restrict all drivers
 > [!NOTE]
 > When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
@ -622,6 +622,8 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
 [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)    | Configuration dependent   |   No
 [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui)   |   &lt;Enabled/&gt;    |   Yes
 -->
 ## Provision .lnk files using Windows Configuration Designer
 First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
--- a/windows/configuration/kiosk/kiosk-policies.md
+++ b/windows/configuration/kiosk/kiosk-policies.md
@ -48,19 +48,29 @@ The following local policies affect all **non-administrator** users on the syste
 ## MDM policy
-Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact).
+
 Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system.
 | Setting | Value | System-wide |
 |--|--|--|
 | [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes |
 | [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
-| Start/HidePeopleBar | 1 - True (hide) | No |
+| [Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes |
 | Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No |
 | [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No |
 | [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes |
 | [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes |
 | [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No |
 | [WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes |
 <!--
 ## Start Menu
--- a/windows/configuration/kiosk/quickstart-restricted-experience.md
+++ b/windows/configuration/kiosk/quickstart-restricted-experience.md
@ -68,15 +68,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
 [!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
 ```powershell
-$eventLogFilterHashTable = @{
+$assignedAccessConfiguration = @"
    ProviderName = "Microsoft-Windows-AssignedAccess";
    StartTime    = Get-Date -Millisecond 0
 }
 $namespaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
 $obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
 <?xml version="1.0" encoding="utf-8" ?>
 <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
@ -126,8 +118,17 @@ $obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
        </Config>
    </Configs>
 </AssignedAccessConfiguration>
-"@)
+"@
 $eventLogFilterHashTable = @{
    ProviderName = "Microsoft-Windows-AssignedAccess";
    StartTime    = Get-Date -Millisecond 0
 }
 $namespaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
 $obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
 $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
 if($cimSetError) {
    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"