deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
jdeckerMS 2017-08-08 10:01:44 -07:00
parent 7c6c964ce3
commit b2ee56a368
3 changed files with 177 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/configuration/images/multiappassignedaccesssettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

62
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -237,7 +237,69 @@ Before applying the multi-app configuration, make sure the specified user accoun
<span id="add-xml" />
## Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md).
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
7. Save your project and close Windows Configuration Designer.
7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
7. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
![Customizations file with the placeholder text to replace highlighted](images/customization-start.png)
7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
8. Save and close the customizations.xml file.
8. Open Windows Configuration Designer and open your project.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
<span id="apply-ppkg" />
## Apply provisioning package to device

421
windows/configuration/multi-app-kiosk-xml.md
View File

@ -1,6 +1,6 @@
---
title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
title: Multi-app kiosk XML reference (Windows 10)
description: XML and XSD for multi-app kiosk device configuration.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -8,128 +8,24 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
---
# Create a Windows 10 kiosk that runs multiple apps
# Multi-app kiosk XML reference
**Applies to**
- Windows 10
A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](#1703) to configure a multi-app kiosk.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
>[!WARNING]
>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
## Prerequisites
- (latest version of WCD -- is Store version okay at GA?)
- kiosk device on 1709
## Create XML file
Let's start by looking at the basic structure of the XML file.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- Multiple config sections can be associated to the same profile.
- A profile has no effect if its not associated to a config section.
![profile = app and config = account](images/profile-config.png)
You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
## Full XML sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="">
<AllAppsList>
<AllowedApps/>
</AllAppsList>
<StartLayout/>
<Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account/>
<DefaultProfile Id=""/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
### Profile
A profile section in the XML has the following entries:
- [**Id**](#id)
- [**AllowedApps**](#allowedapps)
- [**StartLayout**](#startlayout)
- [**Taskbar**](#taskbar)
#### Id
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
#### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
>[!NOTE]
>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins).
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
>[!NOTE]
>Multi-app kiosk mode doesnt block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
```xml
<AllAppsList>
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
@ -140,25 +36,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
```
#### StartLayout
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML as part of the assigned access configuration.
- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesnt have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
```xml
<StartLayout>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
@ -181,184 +59,115 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
</LayoutModificationTemplate>
]]>
</StartLayout>
```
![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
#### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you dont attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
`<Taskbar ShowTaskbar="true"/>`
The following example hides the taskbar:
`<Taskbar ShowTaskbar="false"/>`
>[!NOTE]
>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or MDM policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. Its not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
• Local account can be entered as `machinename\account` or `.\account` or just `account`.
• Domain account should be entered as `domain\account`.
• Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider its a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
>[!WARNING]
>Although **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users** &gt; **Set up assigned access** only supports specifying a local user account, Assigned Access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the Assigned Access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with Assigned Access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
>[!NOTE]
>For both domain and Azure AD accounts, its not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for AssignedAccess.
```xml
<Configs>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</Configs>
</AssignedAccessConfiguration>
```
<span id="add-xml" />
## Add XML file to provisioning package
<span id="apply-ppkg" />
## Apply provisioning package to device
## Considerations for mixed-reality devices
*There are some Mixed Reality specific bits we wanted to include. For example, the IT Admin needs to include the Mixed Reality Portal as an allowed app if they want to include Mixed Reality apps in kiosk mode.*
<span id="lnk-files" />
#### placeholder for lnk
<span id="1703" />
## old method (pre-1709)
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
### Install apps
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
### Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
![configure rule enforcement](images/apprule.png)
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
![default rules warning](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
### Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
### Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
 
 
## XSD for AssignedAccess configuration XML
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="App"/>
<xs:field xpath="@AppUserModelId"/>
<xs:field xpath="@DesktopAppPath"/>
</xs:unique>
</xs:element>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
</xs:complexType>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
</xs:element>
<xs:element name="Configs" type="config_list_t"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```