From 06a53d496423347909692d20378033d4be12c9fd Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 5 Feb 2018 12:06:23 -0800
Subject: [PATCH 01/21] add Chandler's RS4 changes, waiting on note from Lily

---
 .../lock-down-windows-10-to-specific-apps.md  | 63 ++++++++++++++++++-
 1 file changed, 61 insertions(+), 2 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index ea121c6820..cb46b505aa 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -92,7 +92,12 @@ You can start your file by pasting the following XML (or any other examples in t
 
 ### Profile
 
-A profile section in the XML has the following entries: 
+There are two types of profiles tha tyou can specify in the XML:
+
+- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
+- **Kiosk profile**: New in Windows 10, version (1804?), this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
+
+A lockdown profile section in the XML has the following entries: 
 
 - [**Id**](#id) 
 
@@ -102,6 +107,13 @@ A profile section in the XML has the following entries:
 
 - [**Taskbar**](#taskbar)
 
+A kiosk profile in the XML has the following entries:
+
+- [**Id**](#id) 
+
+- [**KioskModeApp**](#kioskmodeapp)
+
+
 
 #### Id
 
@@ -221,15 +233,32 @@ The following example hides the taskbar:
 >[!NOTE]
 >This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. 
 
+#### KioskModeApp 
+
+**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app.
+
+```xml
+<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
+```
+
+>[!IMPORTANT]
+>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information.  
+
 ### Configs
 
 Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. 
 
 The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.  
 
+Individual accounts can be local, domain, or Azure Active Directory (Azure AD). In Windows 10, version (1804?), group accounts are also supported. Group accounts can be local, Active Directory (domain), or Azure AD.
 
+>[!NOTE]
+>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.   
+
+#### Configs for individual accounts
+
+Individual accounts are specified using `<Account>`.
 
-The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
 - Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
@@ -253,7 +282,37 @@ Before applying the multi-app configuration, make sure the specified user accoun
 </Configs> 
 ```
 
+#### Configs for group accounts
 
+Group accounts are specified using `<UserGroup>`.
+
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. 
+  ```xml
+  <Config> 
+    <UserGroup Type="LocalGroup" Name="mygroup" /> 
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+</Config> 
+  ```
+- Domain group: Both security and distribution groups are supported. Specify the group type as **ActiveDirectoryGroup**. Use the domain name as the prefix in the name attribute.
+
+  ```xml
+  <Config> 
+    <UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" /> 
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+</Config> 
+  ```
+
+- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**.
+
+  ```xml
+  <Config> 
+    <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" /> 
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+</Config> 
+  ```
+
+  >[!NOTE]
+  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. 
 
 <span id="add-xml" />
 ## Add XML file to provisioning package

From 5e5a737e886104fe470d36728bcfe91d534a1f63 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 5 Feb 2018 12:40:01 -0800
Subject: [PATCH 02/21] format tweaks

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index cb46b505aa..c8b14ce83c 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -92,7 +92,7 @@ You can start your file by pasting the following XML (or any other examples in t
 
 ### Profile
 
-There are two types of profiles tha tyou can specify in the XML:
+There are two types of profiles that you can specify in the XML:
 
 - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
 - **Kiosk profile**: New in Windows 10, version (1804?), this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
@@ -287,6 +287,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 Group accounts are specified using `<UserGroup>`.
 
 - Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. 
+
   ```xml
   <Config> 
     <UserGroup Type="LocalGroup" Name="mygroup" /> 

From 9d85f46187bf287a4dc183156278af2e6fd7f2c2 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Feb 2018 06:49:41 -0800
Subject: [PATCH 03/21] gp/mdm from Evan

---
 .../lock-down-windows-10-to-specific-apps.md    | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index c8b14ce83c..e9882cfe74 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -284,7 +284,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 #### Configs for group accounts
 
-Group accounts are specified using `<UserGroup>`.
+Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in <Config/>, user A will not have the kiosk experience. 
 
 - Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. 
 
@@ -633,7 +633,6 @@ Lock the Taskbar	 |	Enabled
 Prevent users from adding or removing toolbars |		Enabled
 Prevent users from resizing the taskbar	 |	Enabled
 Remove frequent programs list from the Start Menu |		Enabled
-Remove Pinned programs from the taskbar	 |	Enabled
 Remove the Security and Maintenance icon	 |	Enabled
 Turn off all balloon notifications |		Enabled
 Turn off feature advertisement balloon notifications	 |	Enabled
@@ -657,9 +656,19 @@ Some of the MDM policies based on the [Policy configuration service provider (CS
 Setting	| 	Value	| System-wide
  --- | --- | ---
 [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)		| 0 - Not allowed	| 	Yes
+[Start/AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) |	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+[Start/AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
 [Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings)	| 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
-Start/HidePeopleBar		| 1 - True (hide)	| 	No
-[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings)		| 1 - True (hide) | Yes
+[Start/AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
+Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
+[Start/HidePeopleBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)		| 1 - True (hide)	| 	No
+[Start/HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings)		| 1 - True (hide) | Yes
 [WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace)	| 	0 - Access to ink workspace is disabled and the feature is turned off	| 	Yes
 [Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout)	| Configuration dependent	| 	No
 [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui)	| 	&lt;Enabled/&gt;	| 	Yes

From 114d7fe00c7f4798c1d856f5515e017b85326ee1 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Feb 2018 09:35:22 -0800
Subject: [PATCH 04/21] sync

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index e9882cfe74..78b28f9c10 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -257,7 +257,7 @@ Individual accounts can be local, domain, or Azure Active Directory (Azure AD).
 
 #### Configs for individual accounts
 
-Individual accounts are specified using `<Account>`.
+Individual accounts are specified using `<Account>` or `<AutoLogonAccount>`. When you use `<AutoLogonAccount>`, the specific account is signed in automatically after restart.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.

From e15c6a6c7b602865499a67e2fa491e0a4c106a73 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Feb 2018 10:25:48 -0800
Subject: [PATCH 05/21] add GP settings

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 78b28f9c10..e2b148b53f 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -633,6 +633,7 @@ Lock the Taskbar	 |	Enabled
 Prevent users from adding or removing toolbars |		Enabled
 Prevent users from resizing the taskbar	 |	Enabled
 Remove frequent programs list from the Start Menu |		Enabled
+Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled
 Remove the Security and Maintenance icon	 |	Enabled
 Turn off all balloon notifications |		Enabled
 Turn off feature advertisement balloon notifications	 |	Enabled

From 986f853971337fadd525ff7ae1d5524947cb12e9 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Feb 2018 12:28:50 -0800
Subject: [PATCH 06/21] autologonaccount

---
 .../lock-down-windows-10-to-specific-apps.md             | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index e2b148b53f..d574d83381 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -282,6 +282,15 @@ Before applying the multi-app configuration, make sure the specified user accoun
 </Configs> 
 ```
 
+```xml
+<Configs>
+  <Config>
+    <AutoLogonAccount>MultiAppKioskUser</AutoLogonAccount>
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+  </Config>
+</Configs> 
+```
+
 #### Configs for group accounts
 
 Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in <Config/>, user A will not have the kiosk experience. 

From 1920897ed88962a7cc0bae532f120aef9b133e94 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Feb 2018 12:32:03 -0800
Subject: [PATCH 07/21] fix format

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index d574d83381..b89614a370 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -293,7 +293,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 #### Configs for group accounts
 
-Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in <Config/>, user A will not have the kiosk experience. 
+Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A will not have the kiosk experience. 
 
 - Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. 
 

From b2bf22d8bb369b3c182b02bdff658f6c7e288aa3 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Wed, 7 Feb 2018 06:57:54 -0800
Subject: [PATCH 08/21] autologon account

---
 .../lock-down-windows-10-to-specific-apps.md  | 38 ++++++++++++-------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index b89614a370..7b4e584dd3 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -248,16 +248,33 @@ The following example hides the taskbar:
 
 Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. 
 
-The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.  
+The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. 
 
-Individual accounts can be local, domain, or Azure Active Directory (Azure AD). In Windows 10, version (1804?), group accounts are also supported. Group accounts can be local, Active Directory (domain), or Azure AD.
+You can assign:
+
+- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version (1804?) only)
+- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
+- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version (1804?) only) 
 
 >[!NOTE]
->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.   
+>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.  
 
-#### Configs for individual accounts
+#### Config for AutoLogon Account
 
-Individual accounts are specified using `<Account>` or `<AutoLogonAccount>`. When you use `<AutoLogonAccount>`, the specific account is signed in automatically after restart.
+When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account is created on the device as a local standard user account. The specified account is signed in automatically after restart.
+
+```xml
+<Configs>
+  <Config>
+    <AutoLogonAccount>MultiAppKioskUser</AutoLogonAccount>
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+  </Config>
+</Configs> 
+```
+
+#### Config for individual accounts
+
+Individual accounts are specified using `<Account>`. 
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
@@ -282,16 +299,9 @@ Before applying the multi-app configuration, make sure the specified user accoun
 </Configs> 
 ```
 
-```xml
-<Configs>
-  <Config>
-    <AutoLogonAccount>MultiAppKioskUser</AutoLogonAccount>
-    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
-  </Config>
-</Configs> 
-```
 
-#### Configs for group accounts
+
+#### Config for group accounts
 
 Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A will not have the kiosk experience. 
 

From cfc3e9789a314edceaf391bf0c271852b355ad68 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 8 Feb 2018 10:40:22 -0800
Subject: [PATCH 09/21] sync

---
 .../lock-down-windows-10-to-specific-apps.md        | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index a1fe922edb..81818f0cac 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -262,8 +262,7 @@ The following example hides the taskbar:
 >[!NOTE]
 >This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. 
 
-<<<<<<< HEAD
-#### KioskModeApp 
+##### KioskModeApp 
 
 **KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app.
 
@@ -274,10 +273,8 @@ The following example hides the taskbar:
 >[!IMPORTANT]
 >The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information.  
 
-### Configs
-=======
+
 #### Configs
->>>>>>> refs/remotes/origin/master
 
 Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. 
 
@@ -292,7 +289,7 @@ You can assign:
 >[!NOTE]
 >Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.  
 
-#### Config for AutoLogon Account
+##### Config for AutoLogon Account
 
 When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account is created on the device as a local standard user account. The specified account is signed in automatically after restart.
 
@@ -305,7 +302,7 @@ When you use `<AutoLogonAccount>` and the configuration is applied to a device,
 </Configs> 
 ```
 
-#### Config for individual accounts
+##### Config for individual accounts
 
 Individual accounts are specified using `<Account>`. 
 
@@ -334,7 +331,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 
 
-#### Config for group accounts
+##### Config for group accounts
 
 Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A will not have the kiosk experience. 
 

From d691536ae6022c6c72a0cf900b61ddfbbe7df1ea Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 8 Feb 2018 12:42:26 -0800
Subject: [PATCH 10/21] Sean clarify autologon

---
 .../configuration/lock-down-windows-10-to-specific-apps.md    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 81818f0cac..1990a82052 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -291,12 +291,12 @@ You can assign:
 
 ##### Config for AutoLogon Account
 
-When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account is created on the device as a local standard user account. The specified account is signed in automatically after restart.
+When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
 
 ```xml
 <Configs>
   <Config>
-    <AutoLogonAccount>MultiAppKioskUser</AutoLogonAccount>
+    <AutoLogonAccount/>
     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
   </Config>
 </Configs> 

From c8f48c160de7034297db906245570656ce6c010c Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Mar 2018 06:17:59 -0800
Subject: [PATCH 11/21] add note about 1804 ShellLauncher in CSP

---
 .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index d68048c98d..69fa11496d 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -226,6 +226,8 @@ To change the default time for assigned access to resume, add *IdleTimeOut* (DWO
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 
 >[!NOTE]
+>In Windows 10, version (1804?), you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp).
+>
 >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
 
 >[!WARNING]

From 4004048a725b354def7a45ba0147421127dc9a00 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 6 Mar 2018 11:53:32 -0800
Subject: [PATCH 12/21] 1803

---
 .../configuration/lock-down-windows-10-to-specific-apps.md  | 6 +++---
 .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 1990a82052..b12148184f 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -124,7 +124,7 @@ You can start your file by pasting the following XML (or any other examples in t
 There are two types of profiles that you can specify in the XML:
 
 - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
-- **Kiosk profile**: New in Windows 10, version (1804?), this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
+- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
 
 A lockdown profile section in the XML has the following entries: 
 
@@ -282,9 +282,9 @@ The full multi-app assigned access experience can only work for non-admin users.
 
 You can assign:
 
-- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version (1804?) only)
+- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
 - [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version (1804?) only) 
+- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only) 
 
 >[!NOTE]
 >Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.  
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 69fa11496d..45af794846 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -226,7 +226,7 @@ To change the default time for assigned access to resume, add *IdleTimeOut* (DWO
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 
 >[!NOTE]
->In Windows 10, version (1804?), you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp).
+>In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp).
 >
 >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
 

From 9f7f059abdba25c2cdd60360f74267e4399c2b53 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Wed, 7 Mar 2018 11:11:10 -0800
Subject: [PATCH 13/21] add link kiosk HoloLens

---
 windows/configuration/wcd/wcd-assignedaccess.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 683fe674f2..59ffa1510a 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -39,7 +39,7 @@ Enter the account and the application you want to use for Assigned access, using
 
 Use this setting to configure a kiosk device that runs more than one app.
 
-1. [Create an assigned access configuration XML file for multiple apps.](../lock-down-windows-10-to-specific-apps.md)
+1. Create an assigned access configuration XML file for multiple apps [(desktop](../lock-down-windows-10-to-specific-apps.md) or [HoloLens)](https://docs.microsoft.com/hololens/hololens-provisioning).
 2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
 3. Browse to and select the assigned access configuration XML file.
 

From d4f281631a148fc64f4a216012cea88e6d1378b5 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 15 Mar 2018 11:44:09 -0700
Subject: [PATCH 14/21] add EAS restriction for autologon

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 3 +++
 .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index b12148184f..154e3aede9 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -302,6 +302,9 @@ When you use `<AutoLogonAccount>` and the configuration is applied to a device,
 </Configs> 
 ```
 
+>[!IMPORTANT]
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+
 ##### Config for individual accounts
 
 Individual accounts are specified using `<Account>`. 
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 45af794846..9ce3e97ed9 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -182,6 +182,9 @@ Clear-AssignedAccess
 
 When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
 
+>[!IMPORTANT]
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+
 Edit the registry to have an account automatically logged on.
 
 1.  Open Registry Editor (regedit.exe).

From 6854cb96be76b672df21f171ccd9a624e6f6cff2 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 26 Mar 2018 06:20:55 -0700
Subject: [PATCH 15/21] update XML and XSD for kiosk ref

# Conflicts:
#	windows/configuration/setup-kiosk-digital-signage.md
---
 windows/configuration/multi-app-kiosk-xml.md  | 178 ++++++++++++------
 .../setup-kiosk-digital-signage.md            |   3 -
 2 files changed, 123 insertions(+), 58 deletions(-)

diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
index 8babcdefec..e07e8574a4 100644
--- a/windows/configuration/multi-app-kiosk-xml.md
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -22,91 +22,114 @@ ms.author: jdecker
 
 ## Full XML sample
 
+>[!NOTE]
+>Updated for Windows 10, version 1803.
+
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
-  <Profiles>
-    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
-      <AllAppsList>
-        <AllowedApps>
-          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
-          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
-          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
-        </AllowedApps>
-      </AllAppsList>
-      <StartLayout>
-        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+<AssignedAccessConfiguration
+    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    >
+    <Profiles>
+        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+            <AllAppsList>
+                <AllowedApps>
+                    <App AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" />
+                    <App AppUserModelId="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint" />
+                    <App AppUserModelId="Microsoft.WindowsAlarms_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsLive.calendar" />
+                    <App AppUserModelId="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
+                    <App DesktopAppPath="%SystemRoot%\system32\mspaint.exe" />
+                    <App DesktopAppPath="%SystemDrive%\LOB\MyLOB.exe" />
+                </AllowedApps>
+            </AllAppsList>
+            <StartLayout>
+                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                       <LayoutOptions StartTileGroupCellWidth="6" />
                       <DefaultLayoutOverride>
                         <StartLayoutCollection>
                           <defaultlayout:StartLayout GroupCellWidth="6">
-                            <start:Group Name="Group1">
-                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
-                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
-                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
-                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
-                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
-                            </start:Group>
-                            <start:Group Name="Group2">
-                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
-                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
+                            <start:Group Name="Life at a glance">
+                              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsLive.calendar" />
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
+                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
+                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
+                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
+                                   see document https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop
+                              -->
+                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
+                              <!-- for 3rd party desktop application, place the link file under appropriate folder -->
+                              <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\MyLOB.lnk" />
                             </start:Group>
                           </defaultlayout:StartLayout>
                         </StartLayoutCollection>
                       </DefaultLayoutOverride>
                     </LayoutModificationTemplate>
                 ]]>
-      </StartLayout>
-      <Taskbar ShowTaskbar="true"/>
-    </Profile>
-  </Profiles>
-  <Configs>
-    <Config>
-      <Account>MultiAppKioskUser</Account>
-      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
-    </Config>
-  </Configs>
+            </StartLayout>
+            <Taskbar ShowTaskbar="true"/>
+        </Profile>
+        <Profile Id="{C96117CE-6231-4588-9C8D-9CE92D8DC363}">
+            <KioskModeApp AppUserModelId="Microsoft.WindowsAlarms_8wekyb3d8bbwe!App" />
+        </Profile>
+        <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
+            <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
+        </Profile>
+    </Profiles>
+    <Configs>
+        <Config>
+            <Account>multiappuser1</Account>
+            <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+        </Config>
+        <Config>
+            <Account>singleappuser1</Account>
+            <DefaultProfile Id="{C96117CE-6231-4588-9C8D-9CE92D8DC363}"/>
+        </Config>
+        <Config>
+            <Account>singleappuser</Account>
+            <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
+        </Config>
+    </Configs>
 </AssignedAccessConfiguration>
 ```
 
 ## XSD for AssignedAccess configuration XML
 
+>[!NOTE]
+>Updated for Windows 10, version 1803.
+
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema
     elementFormDefault="qualified"
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
     xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
     targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
     >
 
     <xs:complexType name="profile_list_t">
         <xs:sequence minOccurs="1" >
-            <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
-                <xs:unique name="duplicateRolesForbidden">
-                    <xs:selector xpath="Profile"/>
-                    <xs:field xpath="@Id"/>
-                </xs:unique>
-            </xs:element>
+            <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
         </xs:sequence>
     </xs:complexType>
+    
+    <xs:complexType name="kioskmodeapp_t">
+        <xs:attribute name="AppUserModelId" type="xs:string"/>
+    </xs:complexType>
 
     <xs:complexType name="profile_t">
-        <xs:sequence minOccurs="1" maxOccurs="1">
-            <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
-                <xs:unique name="ForbidDupApps">
-                    <xs:selector xpath="App"/>
-                    <xs:field xpath="@AppUserModelId"/>
-                    <xs:field xpath="@DesktopAppPath"/>
-                </xs:unique>
-            </xs:element>
-            <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
-            <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
-        </xs:sequence>
+        <xs:choice>
+            <xs:sequence minOccurs="1" maxOccurs="1">
+                <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
+                <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
+                <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
+            </xs:sequence>
+            <xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
+        </xs:choice>
         <xs:attribute name="Id" type="guid_t" use="required"/>
         <xs:attribute name="Name" type="xs:string" use="optional"/>
     </xs:complexType>
@@ -114,6 +137,10 @@ ms.author: jdecker
     <xs:complexType name="allappslist_t">
         <xs:sequence minOccurs="1" >
             <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
+                <xs:unique name="ForbidDupApps">
+                    <xs:selector xpath="default:App"/>
+                    <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
+                </xs:unique>
             </xs:element>
         </xs:sequence>
     </xs:complexType>
@@ -156,18 +183,59 @@ ms.author: jdecker
 
     <xs:complexType name="config_t">
         <xs:sequence minOccurs="1" maxOccurs="1">
-            <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:choice>
+                <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
+                <xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
+                <xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
+                <xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
+            </xs:choice>
             <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
         </xs:sequence>
     </xs:complexType>
 
+    <xs:complexType name="autologon_account_t">
+        <xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
+    </xs:complexType>
+
+    <xs:complexType name="group_t">
+        <xs:attribute name="Name" type="xs:string" use="required"/>
+        <xs:attribute name="Type" type="groupType_t" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="specialGroup_t">
+        <xs:attribute name="Name" type="specialGroupType_t" use="required"/>
+    </xs:complexType>
+
+    <xs:simpleType name="groupType_t">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="LocalGroup"/>
+            <xs:enumeration value="ActiveDirectoryGroup"/>
+            <xs:enumeration value="AzureActiveDirectoryGroup"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:simpleType name="specialGroupType_t">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="Visitor"/>
+        </xs:restriction>
+    </xs:simpleType>
+
     <!--below is the definition of the config xml content-->
     <xs:element name="AssignedAccessConfiguration">
         <xs:complexType>
             <xs:all minOccurs="1">
                 <xs:element name="Profiles" type="profile_list_t">
+                    <xs:unique name="duplicateRolesForbidden">
+                        <xs:selector xpath="default:Profile"/>
+                        <xs:field xpath="@Id"/>
+                    </xs:unique>
+                </xs:element>
+                <xs:element name="Configs" type="config_list_t">
+                    <xs:unique name="duplicateAutoLogonAccountForbidden">
+                        <xs:selector xpath=".//default:AutoLogonAccount"/>
+                        <xs:field xpath="@HiddenId"/>
+                    </xs:unique>
                 </xs:element>
-                <xs:element name="Configs" type="config_list_t"/>
             </xs:all>
         </xs:complexType>
     </xs:element>
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index e7e1428e75..c0576b9150 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -201,14 +201,11 @@ Clear-AssignedAccess
 >
 >Account type: Local standard user 
 
-<<<<<<< HEAD:windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
 
 Edit the registry to have an account automatically logged on.
-=======
 When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
->>>>>>> refs/remotes/origin/rs4:windows/configuration/setup-kiosk-digital-signage.md
 
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.

From 192d186922379f89418c8f50591c32a5980bbf4a Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 26 Mar 2018 06:58:46 -0700
Subject: [PATCH 16/21] sync

---
 windows/configuration/multi-app-kiosk-xml.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
index e07e8574a4..018a8b1954 100644
--- a/windows/configuration/multi-app-kiosk-xml.md
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -23,7 +23,7 @@ ms.author: jdecker
 ## Full XML sample
 
 >[!NOTE]
->Updated for Windows 10, version 1803.
+>Updated for Windows 10, version 1803. 
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>

From 7bf11e3067391268dd58e93c783c4d808b1d7a98 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 26 Mar 2018 07:20:45 -0700
Subject: [PATCH 17/21] tweak XML sample

---
 windows/configuration/multi-app-kiosk-xml.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
index 018a8b1954..7efbd875db 100644
--- a/windows/configuration/multi-app-kiosk-xml.md
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -72,6 +72,10 @@ ms.author: jdecker
             </StartLayout>
             <Taskbar ShowTaskbar="true"/>
         </Profile>
+        <Profile Id="{9A2A790F-19F6-5764-974A-22B19E722C23}">
+            <KioskModeApp AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" />
+        </Profile>    
+        </Profile>
         <Profile Id="{C96117CE-6231-4588-9C8D-9CE92D8DC363}">
             <KioskModeApp AppUserModelId="Microsoft.WindowsAlarms_8wekyb3d8bbwe!App" />
         </Profile>
@@ -80,6 +84,10 @@ ms.author: jdecker
         </Profile>
     </Profiles>
     <Configs>
+        <Config>
+            <AutoLogonAccount>kioskuser</AutoLogonAccount>
+            <DefaultProfile Id="{9A2A790F-19F6-5764-974A-22B19E722C23}"/>
+        </Config>
         <Config>
             <Account>multiappuser1</Account>
             <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>

From e7c2aaf6a58877686aea84bd1e8bd7a87bac602f Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 26 Mar 2018 07:30:35 -0700
Subject: [PATCH 18/21] update full XML

---
 windows/configuration/multi-app-kiosk-xml.md | 78 ++++++++++++++------
 1 file changed, 57 insertions(+), 21 deletions(-)

diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
index 7efbd875db..cf422c85fd 100644
--- a/windows/configuration/multi-app-kiosk-xml.md
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -27,9 +27,7 @@ ms.author: jdecker
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration
-    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
-    >
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
     <Profiles>
         <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
             <AllAppsList>
@@ -72,36 +70,74 @@ ms.author: jdecker
             </StartLayout>
             <Taskbar ShowTaskbar="true"/>
         </Profile>
-        <Profile Id="{9A2A790F-19F6-5764-974A-22B19E722C23}">
-            <KioskModeApp AppUserModelId="Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DViewer" />
-        </Profile>    
-        </Profile>
-        <Profile Id="{C96117CE-6231-4588-9C8D-9CE92D8DC363}">
-            <KioskModeApp AppUserModelId="Microsoft.WindowsAlarms_8wekyb3d8bbwe!App" />
-        </Profile>
-        <Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
-            <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
+        <Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
+            <AllAppsList>
+                <AllowedApps>
+                    <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
+                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
+                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
+                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+                    <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
+                    <App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />
+                </AllowedApps>
+            </AllAppsList>
+            <StartLayout>
+                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+                      <LayoutOptions StartTileGroupCellWidth="6" />
+                      <DefaultLayoutOverride>
+                        <StartLayoutCollection>
+                          <defaultlayout:StartLayout GroupCellWidth="6">
+                            <start:Group Name="Life at a glance">
+                              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\Accessories\notepad.lnk" />
+                            </start:Group>
+                          </defaultlayout:StartLayout>
+                        </StartLayoutCollection>
+                      </DefaultLayoutOverride>
+                    </LayoutModificationTemplate>
+                ]]>
+            </StartLayout>
+            <Taskbar ShowTaskbar="false"/>
         </Profile>
     </Profiles>
     <Configs>
         <Config>
-            <AutoLogonAccount>kioskuser</AutoLogonAccount>
-            <DefaultProfile Id="{9A2A790F-19F6-5764-974A-22B19E722C23}"/>
-        </Config>
-        <Config>
-            <Account>multiappuser1</Account>
+            <Account>domain\account</Account>
             <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
         </Config>
         <Config>
-            <Account>singleappuser1</Account>
-            <DefaultProfile Id="{C96117CE-6231-4588-9C8D-9CE92D8DC363}"/>
+            <Account>AzureAD\john@contoso.onmicrosoft.com</Account>
+            <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
         </Config>
         <Config>
-            <Account>singleappuser</Account>
-            <DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
+            <Account>localaccount</Account>
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
+        </Config>
+        <Config>
+            <AutoLogonAccount />
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
+        </Config>
+        <Config>
+            <UserGroup Type="LocalGroup" Name="mygroup" />
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
+        </Config>
+        <Config>
+            <UserGroup Type="ActiveDirectoryGroup" Name="redmond\somegroup" />
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
+        </Config>
+        <Config>
+            <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
+        </Config>
+        <Config>
+            <SpecialGroup Name="Visitor"/>
+            <DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
         </Config>
     </Configs>
 </AssignedAccessConfiguration>
+
 ```
 
 ## XSD for AssignedAccess configuration XML

From 0d7a93c2fad23d61c09dbc4174e2ef79f97504f3 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 27 Mar 2018 06:18:33 -0700
Subject: [PATCH 19/21] rename file

---
 .openpublishing.redirection.json                            | 5 +++++
 .../configuration/{multi-app-kiosk-xml.md => kiosk-xml.md}  | 6 +++---
 2 files changed, 8 insertions(+), 3 deletions(-)
 rename windows/configuration/{multi-app-kiosk-xml.md => kiosk-xml.md} (98%)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 79fce660b9..dd8c47e410 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -6171,6 +6171,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/configuration/multi-app-kiosk-xml.md",
+"redirect_url": "windows/configuration/kiosk-xml.md",
+"redirect_document_id": true     
+},
+{
 "source_path": "windows/configure/provisioning-uninstall-package.md",
 "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package",
 "redirect_document_id": true
diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/kiosk-xml.md
similarity index 98%
rename from windows/configuration/multi-app-kiosk-xml.md
rename to windows/configuration/kiosk-xml.md
index cf422c85fd..b1ebb8d62f 100644
--- a/windows/configuration/multi-app-kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -1,6 +1,6 @@
 ---
-title: Multi-app kiosk XML reference (Windows 10)
-description: XML and XSD for multi-app kiosk device configuration.
+title: Assigned Access kiosk XML reference (Windows 10)
+description: XML and XSD for kiosk device configuration.
 ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
 keywords: ["lockdown", "app restrictions", "applocker"]
 ms.prod: w10
@@ -13,7 +13,7 @@ ms.date: 08/14/2017
 ms.author: jdecker
 ---
 
-# Multi-app kiosk XML reference
+#  Assigned Access (kiosk) XML reference
 
 
 **Applies to**

From eab9e1202629ad5f5993cea5af2f78809202961a Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 27 Mar 2018 06:41:09 -0700
Subject: [PATCH 20/21] Lily feedback

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +-
 windows/configuration/setup-kiosk-digital-signage.md           | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 154e3aede9..66fa261ba9 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -264,7 +264,7 @@ The following example hides the taskbar:
 
 ##### KioskModeApp 
 
-**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app.
+**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
 
 ```xml
 <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index c0576b9150..836cd05b1d 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -230,6 +230,9 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 >[!NOTE]
 >If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 
+>[!TIP]
+>You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md)
+
 
 
 

From 27461ef20c016a278dceccb694c166239d04fb72 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 27 Mar 2018 06:43:51 -0700
Subject: [PATCH 21/21] fix link

---
 windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 66fa261ba9..8f56e86692 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -370,7 +370,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups are not supporte
 <span id="add-xml" />
 ### Add XML file to provisioning package
 
-Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
+Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
 
 Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)