From ab16de23dd76d3e0a4dc95a568d1eab035c5ea7b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:44:12 -0500
Subject: [PATCH] Fix Start menu customization and Intune settings
---
.../configure/intune-custom-settings-1.md | 9 +-
.../configure/intune-custom-settings-2.md | 5 +-
.../configure/intune-custom-settings-info.md | 9 --
.../includes/intune-settings-catalog-1.md | 9 ++
.../includes/intune-settings-catalog-2.md | 9 ++
.../includes/provisioning-package-1.md | 9 ++
.../includes/provisioning-package-2.md | 9 ++
windows/configuration/includes/tab-intro.md | 9 ++
.../quickstart-restricted-experience-xml.md | 59 ++++++++++++
.../kiosk/quickstart-restricted-experience.md | 92 ++++++-------------
.../customize-and-export-start-layout.md | 15 +--
...-10-start-screens-by-using-group-policy.md | 2 -
...reens-by-using-mobile-device-management.md | 3 -
...-by-using-provisioning-packages-and-icd.md | 2 +-
.../start/start-secondary-tiles.md | 10 +-
windows/configuration/start/toc.yml | 2 +-
...ws-10-start-layout-options-and-policies.md | 15 +--
17 files changed, 144 insertions(+), 124 deletions(-)
delete mode 100644 includes/configure/intune-custom-settings-info.md
create mode 100644 windows/configuration/includes/intune-settings-catalog-1.md
create mode 100644 windows/configuration/includes/intune-settings-catalog-2.md
create mode 100644 windows/configuration/includes/provisioning-package-1.md
create mode 100644 windows/configuration/includes/provisioning-package-2.md
create mode 100644 windows/configuration/includes/tab-intro.md
create mode 100644 windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md
diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md
index 60125a46d1..de464de4d8 100644
--- a/includes/configure/intune-custom-settings-1.md
+++ b/includes/configure/intune-custom-settings-1.md
@@ -6,11 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
-To configure devices with Microsoft Intune, use a custom policy:
-
-1. Go to the Microsoft Intune admin center
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description > Next**
-6. Add the following settings:
\ No newline at end of file
+To configure devices with Microsoft Intune, [create a custom policy](/mem/intune/configuration/custom-settings-windows-10) and use the following settings:
\ No newline at end of file
diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md
index 03977b7a0d..287d5ebbf1 100644
--- a/includes/configure/intune-custom-settings-2.md
+++ b/includes/configure/intune-custom-settings-2.md
@@ -6,7 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
-7. Select **Next**
-8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-9. Under **Applicability Rules**, select **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
+Assign the policy to a group that contains as members the devices or users that you want to configure.
\ No newline at end of file
diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md
deleted file mode 100644
index 8f406cf058..0000000000
--- a/includes/configure/intune-custom-settings-info.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/15/2023
-ms.topic: include
-ms.prod: windows-client
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/windows/configuration/includes/intune-settings-catalog-1.md b/windows/configuration/includes/intune-settings-catalog-1.md
new file mode 100644
index 0000000000..b27582fd32
--- /dev/null
+++ b/windows/configuration/includes/intune-settings-catalog-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/15/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
\ No newline at end of file
diff --git a/windows/configuration/includes/intune-settings-catalog-2.md b/windows/configuration/includes/intune-settings-catalog-2.md
new file mode 100644
index 0000000000..287d5ebbf1
--- /dev/null
+++ b/windows/configuration/includes/intune-settings-catalog-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/15/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
\ No newline at end of file
diff --git a/windows/configuration/includes/provisioning-package-1.md b/windows/configuration/includes/provisioning-package-1.md
new file mode 100644
index 0000000000..951ca428e3
--- /dev/null
+++ b/windows/configuration/includes/provisioning-package-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package):
diff --git a/windows/configuration/includes/provisioning-package-2.md b/windows/configuration/includes/provisioning-package-2.md
new file mode 100644
index 0000000000..b600e58e47
--- /dev/null
+++ b/windows/configuration/includes/provisioning-package-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure.
diff --git a/windows/configuration/includes/tab-intro.md b/windows/configuration/includes/tab-intro.md
new file mode 100644
index 0000000000..a818e4df8b
--- /dev/null
+++ b/windows/configuration/includes/tab-intro.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/15/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
\ No newline at end of file
diff --git a/windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md b/windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md
new file mode 100644
index 0000000000..7138b355cb
--- /dev/null
+++ b/windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md
@@ -0,0 +1,59 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/05/2024
+ms.topic: include
+ms.prod: windows-client
+---
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
diff --git a/windows/configuration/kiosk/quickstart-restricted-experience.md b/windows/configuration/kiosk/quickstart-restricted-experience.md
index b54451dd9e..22236bff34 100644
--- a/windows/configuration/kiosk/quickstart-restricted-experience.md
+++ b/windows/configuration/kiosk/quickstart-restricted-experience.md
@@ -16,14 +16,19 @@ This quickstart provides practical examples of how to configure a restricted use
To complete this quickstart, you need:
- A Windows 11 device
-- Access to Microsoft Intune
-- Windows Configuration Designer
+- Microsoft Intune, or third-party MDM solution, if you want to configure the settings using MDM
+- Windows Configuration Designer, if you want to configure the settings using a provisioning package
## Configure a restricted user experience
-Select one of the tabs:
+[!INCLUDE [tab-intro](../includes/tab-intro.md)]
-#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune)
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+> [!TIP]
+> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
[!INCLUDE [intune-custom-settings-1](../../../includes/configure/intune-custom-settings-1.md)]
@@ -34,65 +39,29 @@ Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] }
```
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].\
+
+Setting: `./Vendor/MSFT/AssignedAccess/Configuration`
+Value:
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
-Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
+Path: `AssignedAccess/MultiAppAssignedAccessSettings`
+Value:
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
-Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
@@ -103,11 +72,6 @@ Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider
> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
> 1. Run the script in the PowerShell session
-Edit the following sample PowerShell script to:
-
-- Customize the assessment URL with **$testURL**
-- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName**
-
```powershell
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
@@ -194,6 +158,8 @@ if($cimSetError) {
Write-Output "Successfully applied Assigned Access configuration"
```
+For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+
---
## User experience
@@ -212,3 +178,5 @@ After the settings are applied, reboot the device. A user account names `Library
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/configuration/start/customize-and-export-start-layout.md b/windows/configuration/start/customize-and-export-start-layout.md
index 725c7c8756..3b02ea489a 100644
--- a/windows/configuration/start/customize-and-export-start-layout.md
+++ b/windows/configuration/start/customize-and-export-start-layout.md
@@ -21,9 +21,6 @@ When a full Start layout is applied, the users can't pin, unpin, or uninstall ap
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups.
-> [!NOTE]
-> Partial Start layout is only supported on Windows 10, version 1511 and later.
-
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
@@ -52,9 +49,7 @@ To customize Start:
- **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
> [!IMPORTANT]
-> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
->
-> In earlier versions of Windows 10, no tile would be pinned.
+> If the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
### Export the Start layout
@@ -66,17 +61,13 @@ When you have the Start layout that you want your users to see, use the [Export-
To export the Start layout to an .xml file:
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
-1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
-
- `Export-StartLayout -path .xml`
-
- On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example:
+1. Run `Export-StartLayout` with the switch `-UseDesktopApplicationID`. For example:
```PowerShell
Export-StartLayout -UseDesktopApplicationID -Path layout.xml
```
- In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
+ In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, `\\FileServer01\StartLayouts\StartLayoutMarketing.xml`).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md
index 6702f5d255..9ac7dd17ff 100644
--- a/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md
@@ -22,8 +22,6 @@ This topic describes how to update Group Policy settings to display a customized
## Operating system requirements
-In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro.
-
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base.
## How Start layout control works
diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 1b378a93ca..3f401a1137 100644
--- a/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -13,9 +13,6 @@ ms.date: 08/05/2021
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
->[!NOTE]
->Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
-
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization).
>[!WARNING]
diff --git a/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index b8653f7973..287d043acd 100644
--- a/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -14,7 +14,7 @@ ms.date: 12/31/2017
> [!NOTE]
> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 1. It's not supported on Windows 11.
-In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+You can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
> [!IMPORTANT]
> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
diff --git a/windows/configuration/start/start-secondary-tiles.md b/windows/configuration/start/start-secondary-tiles.md
index 60449adfba..f2e9e67c59 100644
--- a/windows/configuration/start/start-secondary-tiles.md
+++ b/windows/configuration/start/start-secondary-tiles.md
@@ -14,17 +14,11 @@ App tiles are the Start screen tiles that represent and launch an app. A tile th
- Status and updates from an important contact in a social app
- A website in Microsoft Edge
-In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo.
-
Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
-In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
-
-
-
-In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
+By using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles display the same as they did on the device from which you exported the Start layout.
@@ -78,7 +72,6 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
1. In Windows PowerShell, enter the following command:
-
```powershell
Export-StartLayoutEdgeAssets assets.xml
```
@@ -139,7 +132,6 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
#### Create a provisioning package that contains a customized Start layout
-
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
diff --git a/windows/configuration/start/toc.yml b/windows/configuration/start/toc.yml
index 649a679653..14581c249b 100644
--- a/windows/configuration/start/toc.yml
+++ b/windows/configuration/start/toc.yml
@@ -1,5 +1,5 @@
items:
-- name: Customizethe Start menu in Windows 11
+- name: Customize the Start menu in Windows 11
href: customize-start-menu-layout-windows-11.md
- name: Supported Start menu CSPs
href: supported-csp-start-menu-layout-windows.md
diff --git a/windows/configuration/start/windows-10-start-layout-options-and-policies.md b/windows/configuration/start/windows-10-start-layout-options-and-policies.md
index 6bc1b415c5..bc7f0ffde6 100644
--- a/windows/configuration/start/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/start/windows-10-start-layout-options-and-policies.md
@@ -3,6 +3,8 @@ title: Customize and manage the Windows 10 Start and taskbar layout
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.topic: article
ms.date: 08/05/2021
+appliesto:
+- ✅ Windows 10
---
# Customize the Start menu and taskbar layout on Windows 10 and later devices
@@ -184,19 +186,6 @@ In a clean install, if you apply a taskbar layout, only the following apps are p
After the layout is applied, users can pin more apps to the taskbar.
-### Taskbar configuration applied to Windows 10 upgrades
-
-When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
-
-On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
-
-- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
-- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
-- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
-- New apps specified in updated layout file are pinned to right of user's pinned apps.
-
-[Learn how to configure Windows 10 taskbar](../taskbar/configure-windows-10-taskbar.md).
-
## Start layout configuration errors
If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: