From cccd11976e13074ac7b6e0eff155d1b58ea42fb5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 14 Feb 2024 13:36:38 +0100
Subject: [PATCH] Update kiosk configuration TOC and author information
---
windows/configuration/docfx.json | 50 ++++-
.../kiosk/quickstart-assigned-access-kiosk.md | 177 ++++++++++++++++++
...-assigned-access-restricted-experience.md} | 12 +-
....md => quickstart-shell-launcher-kiosk.md} | 15 +-
windows/configuration/kiosk/toc.yml | 10 +-
5 files changed, 239 insertions(+), 25 deletions(-)
create mode 100644 windows/configuration/kiosk/quickstart-assigned-access-kiosk.md
rename windows/configuration/kiosk/{quickstart-restricted-experience.md => quickstart-assigned-access-restricted-experience.md} (96%)
rename windows/configuration/kiosk/{quickstart-kiosk.md => quickstart-shell-launcher-kiosk.md} (81%)
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 3cb065efa0..a0dd023282 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -43,8 +43,6 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.subservice": "itpro-configure",
"ms.service": "windows-client",
- "ms.author": "paoloma",
- "author": "paolomatarazzo",
"manager": "aaroncz",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@@ -75,20 +73,56 @@
"ue-v/**/*.*": "None"
},
"author":{
- "wcd//**/*.md": "vinaypamnani-msft",
- "wcd//**/*.yml": "vinaypamnani-msft",
+ "accessibility//**/*.md": "paolomatarazzo",
+ "accessibility//**/*.yml": "paolomatarazzo",
+ "cellular//**/*.md": "paolomatarazzo",
+ "cellular//**/*.yml": "paolomatarazzo",
+ "kiosk//**/*.md": "paolomatarazzo",
+ "kiosk//**/*.yml": "paolomatarazzo",
+ "lock-screen//**/*.md": "paolomatarazzo",
+ "lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
+ "shared-pc//**/*.md": "paolomatarazzo",
+ "shared-pc//**/*.yml": "paolomatarazzo",
+ "start//**/*.md": "paolomatarazzo",
+ "start//**/*.yml": "paolomatarazzo",
+ "store//**/*.md": "paolomatarazzo",
+ "store//**/*.yml": "paolomatarazzo",
+ "taskbar//**/*.md": "paolomatarazzo",
+ "taskbar//**/*.yml": "paolomatarazzo",
+ "tips//**/*.md": "paolomatarazzo",
+ "tips//**/*.yml": "paolomatarazzo",
"ue-v//**/*.md": "aczechowski",
- "ue-v//**/*.yml": "aczechowski"
+ "ue-v//**/*.yml": "aczechowski",
+ "wcd//**/*.md": "vinaypamnani-msft",
+ "wcd//**/*.yml": "vinaypamnani-msft"
},
"ms.author":{
- "wcd//**/*.md": "vinpa",
- "wcd//**/*.yml": "vinpa",
+ "accessibility//**/*.md": "paoloma",
+ "accessibility//**/*.yml": "paoloma",
+ "cellular//**/*.md": "paoloma",
+ "cellular//**/*.yml": "paoloma",
+ "kiosk//**/*.md": "paoloma",
+ "kiosk//**/*.yml": "paoloma",
+ "lock-screen//**/*.md": "paoloma",
+ "lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
+ "shared-pc//**/*.md": "paoloma",
+ "shared-pc//**/*.yml": "paoloma",
+ "start//**/*.md": "paoloma",
+ "start//**/*.yml": "paoloma",
+ "store//**/*.md": "paoloma",
+ "store//**/*.yml": "paoloma",
+ "taskbar//**/*.md": "paoloma",
+ "taskbar//**/*.yml": "paoloma",
+ "tips//**/*.md": "paoloma",
+ "tips//**/*.yml": "paoloma",
"ue-v//**/*.md": "aaroncz",
- "ue-v//**/*.yml": "aaroncz"
+ "ue-v//**/*.yml": "aaroncz",
+ "wcd//**/*.md": "vinpa",
+ "wcd//**/*.yml": "vinpa"
},
"ms.reviewer":{
"kiosk//**/*.md": "sybruckm",
diff --git a/windows/configuration/kiosk/quickstart-assigned-access-kiosk.md b/windows/configuration/kiosk/quickstart-assigned-access-kiosk.md
new file mode 100644
index 0000000000..3f4c0f3fc8
--- /dev/null
+++ b/windows/configuration/kiosk/quickstart-assigned-access-kiosk.md
@@ -0,0 +1,177 @@
+---
+title: "Quickstart: Configure a kiosk experience with Assigned Access"
+description: Learn how to configure a kiosk experience with Assigned Access, using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+ms.topic: quickstart
+ms.date: 02/05/2024
+appliesto:
+- ✅ Windows 11
+---
+
+# Quickstart: Configure a kiosk experience with Assigned Access"
+
+With a *restricted user experience*, you can control the applications allowed in a locked down Windows desktop.
+
+This quickstart provides practical examples of how to configure a restricted user experience on Windows 11. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
+
+The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
+
+## Prerequisites
+
+>[!div class="checklist"]
+>Here's a list of requirements to complete this quickstart:
+>
+>- A Windows 11 device
+>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
+>- Windows Configuration Designer, if you want to configure the settings using a provisioning package
+>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
+
+## Configure a restricted user experience
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+> [!TIP]
+> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] }
+```
+
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
+
+- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
+- **Value:**
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
+
+- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
+- **Value:**
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+
+```powershell
+$assignedAccessConfiguration = @"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+"@
+
+$eventLogFilterHashTable = @{
+ ProviderName = "Microsoft-Windows-AssignedAccess";
+ StartTime = Get-Date -Millisecond 0
+}
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+if($cimSetError) {
+ Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
+ Write-Error -ErrorRecord $cimSetError[0]
+
+ $timeout = New-TimeSpan -Seconds 30
+ $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ do{
+ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
+ } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
+
+ if($events.Count) {
+ $events | ForEach-Object {
+ Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
+ }
+ } else {
+ Write-Warning "Timed-out attempting to retrieve event logs..."
+ }
+
+ Exit 1
+}
+
+Write-Output "Successfully applied Assigned Access configuration"
+```
+
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+
+---
+
+## User experience
+
+After the settings are applied, reboot the device. A user account named `Library Kiosk` is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu.
+
+:::image type="content" source="images/quickstart-restricted-experience.png" alt-text="Screenshot of the Windows desktop used for the quickstart." border="false":::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn more how to configure Windows to execute as a restricted user experience:
+>
+> [Configure a restricted user experience](lock-down-windows-11-to-specific-apps.md)
+
+
+
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
diff --git a/windows/configuration/kiosk/quickstart-restricted-experience.md b/windows/configuration/kiosk/quickstart-assigned-access-restricted-experience.md
similarity index 96%
rename from windows/configuration/kiosk/quickstart-restricted-experience.md
rename to windows/configuration/kiosk/quickstart-assigned-access-restricted-experience.md
index 4856d601f4..aad82b6c36 100644
--- a/windows/configuration/kiosk/quickstart-restricted-experience.md
+++ b/windows/configuration/kiosk/quickstart-assigned-access-restricted-experience.md
@@ -70,12 +70,12 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
```powershell
$assignedAccessConfiguration = @"
-
+ >
@@ -83,7 +83,7 @@ $assignedAccessConfiguration = @"
-
+
@@ -94,7 +94,7 @@ $assignedAccessConfiguration = @"
-
+
-
+
diff --git a/windows/configuration/kiosk/quickstart-kiosk.md b/windows/configuration/kiosk/quickstart-shell-launcher-kiosk.md
similarity index 81%
rename from windows/configuration/kiosk/quickstart-kiosk.md
rename to windows/configuration/kiosk/quickstart-shell-launcher-kiosk.md
index a700b7372c..1de7311010 100644
--- a/windows/configuration/kiosk/quickstart-kiosk.md
+++ b/windows/configuration/kiosk/quickstart-shell-launcher-kiosk.md
@@ -1,15 +1,15 @@
---
-title: "Quickstart: Configure a restricted user experience"
-description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+title: "Quickstart: configure a kiosk experience with Shell Launcher"
+description: Learn how to configure a kiosk experience with Shell Launcher, using Windows Configuration Designer, Microsoft Intune, or PowerShell.
ms.topic: quickstart
ms.date: 02/05/2024
appliesto:
- ✅ Windows 11
---
-# Quickstart: Configure a kiosk device
+# Quickstart: configure a kiosk experience with Shell Launcher
-Add intro about single-use device and shell launcher
+This quickstart provides the information to configure a kiosk experience with Shell Launcher, using Windows Configuration Designer, Microsoft Intune, or PowerShell.
## Prerequisites
@@ -61,7 +61,7 @@ xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
-
+
@@ -84,7 +84,8 @@ $namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
-$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+$obj = Set-CimInstance -CimInstance $obj
+
```
@@ -94,7 +95,7 @@ $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction
## User experience
-After the settings are applied, reboot the device. A local account is automatically signed in, and the Weather app starts automatically in full screen.
+After the settings are applied, reboot the device. A local account is automatically signed in, and Microsoft Edge app starts automatically in full screen, opening the London Heathrow airport map.
## Next steps
diff --git a/windows/configuration/kiosk/toc.yml b/windows/configuration/kiosk/toc.yml
index 4fbff76f94..d517b1fe67 100644
--- a/windows/configuration/kiosk/toc.yml
+++ b/windows/configuration/kiosk/toc.yml
@@ -3,10 +3,12 @@ items:
href: kiosk-methods.md
- name: Quickstarts
items:
- - name: Configure a kiosk device
- href: quickstart-kiosk.md
- - name: Configure a restricted user experience
- href: quickstart-restricted-experience.md
+ - name: Configure a kiosk experience with Assigned Access
+ href: quickstart-assigned-access-kiosk.md
+ - name: Configure a restricted user experience with Assigned Access
+ href: quickstart-assigned-access-restricted-experience.md
+ - name: Configure a kiosk experience with Shell Launcher
+ href: quickstart-shell-launcher-kiosk.md
- name: Concepts
items:
- name: Prepare a device for kiosk configuration