Merged PR 6601: Rename file and add digital sign info for marketing announcement

2025-05-12 13:27:23 +00:00 · 2018-03-23 14:06:01 +00:00 · 2018-03-23 14:06:01 +00:00 · ac76fd943e
commit ac76fd943e
parent 6f391ec8db
8 changed files with 195 additions and 158 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -6185,6 +6185,11 @@
 "redirect_url": "/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions",
 "redirect_document_id": true
 },
 {
    "source_path": "windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md",
    "redirect_url": "/windows/configuration/setup-kiosk-digital-signage",
    "redirect_document_id": true
 },
 {
 "source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
 "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@ -12,7 +12,7 @@
 ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
 ## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
 ### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md)
 ### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 ### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
 #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: high
 author: jdeckerms
-ms.date: 03/13/2018
+ms.date: 03/23/2018
 ---
 # Change history for Configure Windows 10
@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 New or changed topic | Description
 --- | ---
 [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
 Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer.
 ## February 2018
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@ -19,6 +19,6 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
 | Topic | Description |
 | --- | --- |
 | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
+|  [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
 | [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device.  |
 | [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@ -41,7 +41,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
        - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
        - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-        - [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+        - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
        - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
        - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@ -82,7 +82,7 @@ The following table describes settings that you can configure using the wizards
 - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@ -1,44 +1,124 @@
 ---
-title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
+title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10)
-description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-keywords: ["assigned access", "kiosk", "lockdown"]
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 01/31/2018
+ms.date: 03/23/2018
 ---
-# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
+# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
 **Applies to**
 -   Windows 10
 >  **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
 A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. 
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro.
+Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps.](lock-down-windows-10-to-specific-apps.md).)
    or
 - For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). 
-    or
+
-    
+## Choose a method for configuring your kiosks and digitals signs
- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). 
+
 **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart.
 >[!TIP]
->To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+>For **digital signage**, simply select a digital sign player as your kiosk app. 
->[!NOTE]
+**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. 
 >A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
-## Using a local device as a kiosk
+>[!WARNING]
 >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
 >
 >Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. 
 ### Methods for kiosks and digital signs running a UWP app
 Choose this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
 [PowerShell](#powershell)  | Pro, Ent, Edu | Local standard user
 [Provisioning](#wizard)  | Pro (version 1709), Ent, Edu | Local standard user 
 [Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm)  | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
 ### Methods for kiosks and digital signs running a Classic Windows app
 Choose this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [Provisioning](#wizard) | Ent, Edu | Local standard user 
 [ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
 ### Other settings to lock down
 For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
 Recommendation | How to
 --- | ---
 Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`</br></br>[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)</br></br>You must restart the device after changing the registry.
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the logon screen. |     Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 Remove the power button from the sign-in screen. |     Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 Disable the camera. |     Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
 Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
 **How to edit the registry to have an account automatically logged on**
 1.  Open Registry Editor (regedit.exe).
    >[!NOTE]  
    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 2.  Go to
    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 3.  Set the values for the following keys.
    -   *AutoAdminLogon*: set value as **1**.
    -   *DefaultUserName*: set value as the account that you want logged in.
    -   *DefaultPassword*: set value as the password for the account.
       > [!NOTE]
       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
 >[!TIP]
 >You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
 <span id="local"/>
 ## Set up a kiosk or digital sign in local Settings
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
@ -48,99 +128,33 @@ If you do not want the kiosk account signed in automatically when the device res
 ![Screenshot of automatic sign-in setting](images/auto-signin.png)
-<span id="wizard" />
+**To set up assigned access in PC settings**
 ## Set up a kiosk using Windows Configuration Designer
-When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
+1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
 <table>
 <tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
 <tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>**Important:** You must use the Windows Configuration Designer app from Microsoft Store to select a Classic Windows application as the kiosk app in a provisioning package.</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>
 >[!NOTE]
 >If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 [Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 <span id="assigned-access" />
 ## Assigned access method for Universal Windows apps
 Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
 | Method | Account type | Windows 10 edition |
 | --- | --- | --- |
 | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
 | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
 | [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
 | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
 ### Requirements
 -   A domain or local user account. 
 -   A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
    The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
    The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
 >[!NOTE]  
 >Assigned access does not work on a device that is connected to more than one monitor.
 ### Set up assigned access in PC settings
 1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
 2.  Choose **Set up assigned access**.
 3.  Choose an account.
-4.  Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
+4.  Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
-### Set up assigned access in MDM
+>[!NOTE]  
-
+>Single-app kiosk configuration using assigned access does not work on a device that is connected to more than one monitor.
 Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
 [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
 [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
 <sp id="set-up-assigned-access-wcd" />
 <span id="powershell"/>
 ## Set up a kiosk or digital sign using Windows PowerShell
-### Set up assigned access using Windows PowerShell
+ 
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
@ -178,50 +192,91 @@ Clear-AssignedAccess
 ```
-### Set up automatic logon
+<span id="wizard" />
 ## Set up a kiosk or digital sign using a provisioning package
-When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
+>App type: UWP or Classic Windows
 >
 >OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
 >
 >Account type: Local standard user 
-Edit the registry to have an account automatically logged on.
+When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
-1.  Open Registry Editor (regedit.exe).
+>[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
    >[!NOTE]  
    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
-2.  Go to
+[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 3.  Set the values for the following keys.
-    -   *AutoAdminLogon*: set value as **1**.
+<table>
 <tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
 <tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>
    -   *DefaultUserName*: set value as the account that you want logged in.
-    -   *DefaultPassword*: set value as the password for the account.
+>[!NOTE]
 >If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
       > [!NOTE]
       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
 ### Sign out of assigned access
-To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
+[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 <span id="shell-launcher" />
 ## Shell Launcher for Classic Windows applications
 ## Set up a kiosk or digital sign in Intune or other MDM service
 >App type: UWP 
 >
 >OS edition: Windows 10 Pro (version 1709), Ent, Edu
 >
 >Account type: Local standard user, Azure AD
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
 **To configure kiosk in Microsoft Intune**
 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
 3. Select **Device configuration**.
 4. Select **Profiles**.
 5. Select **Create profile**.
 6. Enter a friendly name for the profile.
 7. Select **Windows 10 and later** for the platform.
 8. Select **Device restrictions** for the profile type.
 9. Select **Kiosk**.
 10. In **Kiosk Mode**, select **Single app kiosk**.
 1. Enter the user account (Azure AD or a local standard user account).
 11. Enter the Application User Model ID for an installed app.
 14. Select **OK**, and then select **Create**.
 18. Assign the profile to a device group to configure the devices in that group as kiosks.
 <span id="shelllauncher" />
 ## Set up a kiosk or digital sign using Shell Launcher 
 >App type: Classic Windows
 >
 >OS edition: Windows 10 Ent, Edu
 >
 >Account type: Local standard user or administrator, Active Directory, Azure AD
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
@ -239,6 +294,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo
 [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
 ### Configure Shell Launcher
 To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
@ -399,41 +455,15 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 ```
-## Other settings to lock down
+## Sign out of assigned access
 To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
-   Put device in **Tablet mode**.
+**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
-    If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
+To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 -   Hide **Ease of access** feature on the logon screen.
    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
 -   Disable the hardware power button.
    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 -   Remove the power button from the sign-in screen.
    Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 -   Disable the camera.
    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
 -   Turn off app notifications on the lock screen.
    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 -   Disable removable media.
    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
    >[!NOTE]  
    >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 ## Related topics
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@ -29,7 +29,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
 ## ComputerAccount