Update kiosk configuration files and recommendations

.openpublishing.redirection.windows-configuration.json

@@ -347,7 +347,7 @@
     },
     {
       "source_path": "windows/configuration/kiosk-prepare.md",
-      "redirect_url": "/windows/configuration/kiosk/kiosk-prepare",
+      "redirect_url": "/windows/configuration/kiosk/recommendations",
       "redirect_document_id": false
     },
     {
@@ -799,6 +799,11 @@
       "source_path": "windows/configuration/kiosk/kiosk-methods.md",
       "redirect_url": "/windows/configuration/assigned-access",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/kiosk/guidelines-for-assigned-access-app.md",
+      "redirect_url": "/windows/configuration/assigned-access/overview",
+      "redirect_document_id": false
     }
   ]
 }

windows/configuration/assigned-access/overview.md

@@ -72,7 +72,7 @@ Here are the steps to configure a kiosk using the Settings app:
     >[!NOTE]
     >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
 
-1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
+1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
 
     - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
     - Which URL should be open when the kiosk accounts signs in
@@ -291,9 +291,6 @@ An Assigned Access multi-app kiosk runs one or more apps from the desktop. Peopl
 > [!WARNING]
 > The Assigned Access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app Assigned Access configuration is applied on the device, [certain policy settings](policy-settings.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the Assigned Access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
 
-> [!TIP]
-> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-
 ### Provisioning package
 
 Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](xsd.md).

windows/configuration/assigned-access/quickstart-kiosk.md

@@ -42,7 +42,7 @@ Here are the steps to configure a kiosk using the Settings app:
     >[!NOTE]
     >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account**
 
-1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
+1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options:
 
     - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
     - Which URL should be open when the kiosk accounts signs in

windows/configuration/assigned-access/recommendations.md

@@ -174,7 +174,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-:::image type="content" source="images/enable-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
+:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
 
 ## Automatic logon
 
@@ -183,9 +183,6 @@ You may also want to set up **automatic logon** for your kiosk device. When your
 > [!NOTE]
 > If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
 
-> [!TIP]
-> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
-
 How to edit the registry to have an account sign in automatically:
 
 1. Open Registry Editor (regedit.exe).

windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md

@@ -63,7 +63,7 @@ After the settings are applied, reboot the device. A local user account is autom
 > [!div class="nextstepaction"]
 > Learn more how to create a Shell Launcher configuration file:
 >
-> [Create a Shell Launcher configuration file](create-configuration.md)
+> [Create a Shell Launcher configuration file](configuration-file.md)
 
 <!--links-->
 

windows/configuration/assigned-access/toc.yml

@@ -16,7 +16,7 @@ items:
       - name: Create an Assigned Access configuration file
         href: configuration-file.md
       - name: Prepare a device for kiosk configuration
-        href: kiosk-prepare.md
+        href: recommendations.md
   - name: Reference
     items:
       - name: Assigned Access XSD

windows/configuration/wcd/wcd-policies.md

@@ -295,7 +295,7 @@ This section describes the **Policies** settings that you can configure in [prov
 
 ## KioskBrowser
 
-These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../kiosk/guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
+These settings apply to the **Kiosk Browser** app available in Microsoft Store.
 
 | Setting | Description | Windows client |  Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: |

windows/security/includes/sections/operating-system-security.md

@@ -13,7 +13,7 @@ ms.topic: include
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
 | **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
 | **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
-| **[Assigned Access](/windows/configuration/assigned-access/)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
+| **[Assigned Access](/windows/configuration/assigned-access/overview)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
 
 ## Virus and threat protection