From 3a98b0470cf607b20e2bf1fdd90d317ca0b64801 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Tue, 12 Feb 2019 08:53:45 -0800 Subject: [PATCH 1/9] Update self-deploying.md Cleaned up the page, added some additional notes to address common customer pain points. --- .../windows-autopilot/self-deploying.md | 44 ++++++++----------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index 697dc354e7..bbc5695557 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -14,46 +14,38 @@ ms.author: greg-lindsay # Windows Autopilot Self-Deploying mode (Preview) -**Applies to: Windows 10, build 17672 or later** +**Applies to: Windows 10, version 1809 or later** -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. ->[!NOTE] ->In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. +Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). -![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) - ->[!NOTE] ->While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process – no user authentication or user interaction will be required. - -Self-deploying mode can register the device into an organization’s Azure Active Directory tenant, enroll the device in the organization’s mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned). +Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, levering the enrollment status page to prevent access to the desktop until the device is fully provisioned. >[!NOTE] >Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. -Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. +Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the proess). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. -Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. - -Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate. +![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) + +## Requirements + +Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) + +>[!NOTE] +>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) + +In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. ## Step by step In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: - Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using self-deploying mode, these additional steps are needed: - -- Ensure that the device supports TPM 2.0 and device attestation. (Note that virtual machines are not supported.) -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. +- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. ## Validation @@ -72,4 +64,4 @@ When performing a self-deploying mode deployment using Windows Autopilot, the fo - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. \ No newline at end of file +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. From 6e038a31e689f9e7046fad291010248b3f8de3a3 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Tue, 12 Feb 2019 09:01:45 -0800 Subject: [PATCH 2/9] Update self-deploying.md Fixed a typo (proess should be process). --- windows/deployment/windows-autopilot/self-deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index bbc5695557..e8a141004f 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -26,7 +26,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the proess). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) From c7efabe866a368528578e4a552d337fbbfc754ad Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 13 Feb 2019 12:58:05 -0800 Subject: [PATCH 3/9] Update ethernet-adapters-and-surface-device-deployment.md --- .../ethernet-adapters-and-surface-device-deployment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 2e6455f840..46c4dda2d0 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -32,9 +32,9 @@ Booting from the network (PXE boot) is only supported when you use an Ethernet a The following Ethernet devices are supported for network boot with Surface devices: -- Surface USB to Ethernet adapter +- Surface USB-C to Ethernet and USB 3.0 Adapter -- Surface USB 3.0 Ethernet adapter +- Surface USB 3.0 to Gigabit Ethernet Adapter - Surface Dock From 280bf4d3e930b161f07700752a5f667d5b99f57a Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 13 Feb 2019 16:38:37 -0800 Subject: [PATCH 4/9] Update index.md --- devices/surface/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/devices/surface/index.md b/devices/surface/index.md index 20d2c00e79..e559820d25 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -31,6 +31,7 @@ For more information on planning for, deploying, and managing Surface devices in | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. | | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. | | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. | +| [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | Learn how to investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. | | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. | | [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. | | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. | From d27362a7476c52374384a76348f10a063d816639 Mon Sep 17 00:00:00 2001 From: Jerry Abouelnasr <38887871+MSFTJerryAb@users.noreply.github.com> Date: Thu, 14 Feb 2019 10:46:31 -0600 Subject: [PATCH 5/9] Update self-deploying.md typo --- windows/deployment/windows-autopilot/self-deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index e8a141004f..68138d4b86 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -18,7 +18,7 @@ ms.author: greg-lindsay Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). -Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, levering the enrollment status page to prevent access to the desktop until the device is fully provisioned. +Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. >[!NOTE] >Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. From 80a88d1f6f1a6d6bb5f4a2b65ce846d596a3f1de Mon Sep 17 00:00:00 2001 From: Kellie Eickmeyer <42247317+kellieei@users.noreply.github.com> Date: Thu, 14 Feb 2019 12:02:02 -0800 Subject: [PATCH 6/9] Update lock-down-windows-10-to-specific-apps.md --- .../configuration/lock-down-windows-10-to-specific-apps.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index caa9d860ab..8d05c250ac 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -178,7 +178,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). -- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). +- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: @@ -674,4 +674,4 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont ## Other methods -Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). From c117621f71b15ffc56c3ba0904be929f4a174910 Mon Sep 17 00:00:00 2001 From: Spencer Shumway <45644477+spshumwa@users.noreply.github.com> Date: Thu, 14 Feb 2019 14:26:22 -0800 Subject: [PATCH 7/9] Update registration-auth.md --- windows/deployment/windows-autopilot/registration-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index e47d792388..5a5dcf695d 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -39,7 +39,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus ![Request a reseller relationship](images/csp1.png) - Select the checkbox indicating whether or not you want delegated admin rights: ![Delegated rights](images/csp2.png) - - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in tihs document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges + - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges - Send the template above to the customer via email. 2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: From 0978f56e7e6d4f701d24b1f664c7622b50e28e2a Mon Sep 17 00:00:00 2001 From: andreiztm Date: Fri, 15 Feb 2019 09:47:42 +0200 Subject: [PATCH 8/9] Adding the latest article for WUfB/WaaS As seen on: https://twitter.com/johntwilcox/status/1096151895041658880 --- windows/deployment/update/windows-as-a-service.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 9f15d874d2..25472e32ba 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -24,6 +24,7 @@ Everyone wins when transparency is a top priority. We want you to know when upda The latest news:
    +
  • Windows Update for Business and the retirement of SAC-T - February 14, 2019
  • Application compatibility in the Windows ecosystem - January 15, 2019
  • Windows monthly security and quality updates overview - January 10, 2019
  • Driver quality in the Windows ecosystem - December 19, 2018
    • From c2aa20b3c2ed4b08fbc112cc660c8b3c98997f64 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 15 Feb 2019 17:21:08 +0000 Subject: [PATCH 9/9] Merged PR 14315: replace Intune instructions w/links to Intune's docs --- ...change-history-for-configure-windows-10.md | 7 ++++++ windows/configuration/kiosk-shelllauncher.md | 4 +-- windows/configuration/kiosk-single-app.md | 20 ++------------- .../lock-down-windows-10-to-specific-apps.md | 25 +------------------ 4 files changed, 12 insertions(+), 44 deletions(-) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 88f01acdce..52fa2a92d0 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -17,6 +17,13 @@ ms.date: 11/07/2018 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## February 2019 + +New or changed topic | Description +--- | --- +[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation. +[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation. + ## January 2019 New or changed topic | Description diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 02c0137f83..e928698268 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -36,7 +36,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt -### Requirements +## Requirements >[!WARNING] >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. @@ -50,7 +50,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) -### Configure Shell Launcher +## Configure Shell Launcher To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 7c3e7243b9..64a3ca542a 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -238,30 +238,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des > >Account type: Local standard user, Azure AD -![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. >[!TIP] >Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Single app kiosk**. -1. Enter the user account (Azure AD or a local standard user account). -11. Enter the Application User Model ID for an installed app. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. +To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, see the documentation for your provider. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 8d05c250ac..b927ef5c8e 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -46,30 +46,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -1. [Generate the Start layout for the kiosk device.](#startlayout) -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Select **Kiosk - 1 setting available**. -10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. -12. Enter a friendly name for the configuration. -10. In **Kiosk Mode**, select **Multi app kiosk**. -13. Select an app type. - - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**. - - For **Add managed apps**, select an app that you manage through Intune. - - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app. -14. Select whether to enable the taskbar. -15. Browse to and select the Start layout XML file that you generated in step 1. -16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. -17. Select **OK**. You can add additional configurations or finish. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - ->[!NOTE] ->Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. +To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows). ## Configure a kiosk using a provisioning package